KEMBAR78
Setup - Building A Linux Server Using Webmin | PDF | Advanced Packaging Tool | Computer File
0% found this document useful (0 votes)
439 views570 pages

Setup - Building A Linux Server Using Webmin

This document provides instructions for setting up a Linux server using Webmin. It discusses downloading Debian ISO files, installing Debian onto the server, configuring basic settings like the computer name and time zone during setup. It also covers creating a user account in addition to the default root user. The instructions are intended to be followed step-by-step to build up the server configuration.

Uploaded by

nisheednair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
439 views570 pages

Setup - Building A Linux Server Using Webmin

This document provides instructions for setting up a Linux server using Webmin. It discusses downloading Debian ISO files, installing Debian onto the server, configuring basic settings like the computer name and time zone during setup. It also covers creating a user account in addition to the default root user. The instructions are intended to be followed step-by-step to build up the server configuration.

Uploaded by

nisheednair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 570

Setup : Building a Linux Server using Webmin

By Kevin Elwood (Version 3.94)

- Continue reading as a webpage, or Download the complete PDF

- Have questions? Got problems? Visit the Blog for (this) topic

- Stuck on Page #1? Cant get Webmin to install? Try watching the video

- Want to setup a software Raid for your Operating System? Try watching the video

- Want to setup a ProxMox virtual machine server? Try watching the video

This how to assumes your looking to setup a Linux Server manage a Linux Server build a Linux Server, not a Linux Desktop.
For use without a monitor, keyboard or mouse. ( headless )
After setup completes you will be remotely managing it, and will not have a need for the monitor and keyboard once
you have finished the initial setup. This how-to also assumes you are connected to the internet, and have at least (2) computers
on the same network. It also assumes you will have at least (2) hard-drives in the server, one for the O.S. and one for the data.
Only one network card is needed until the optional \ advanced section.

For every download link, I offer an alternative source (from my server) so that you may follow this how-to exactly, down to the
same versions I've tested. Newer is better and youre encouraged to upgrade after you complete this how-to. But for continuity
and flow, I provide a link to the same versions I've used and tested. Also due to upgrades some versions may no longer be
available, if you run into this just use the links to my server, or go to webmin.com and find the newer link

This how-to covers everything from the most basic setup, to a full blown dedicated server. You can choose how far to go in
this step by step how-to, even setting your Linux box up as your Router, Samba FileServer, Firewall, DNS, HTTP, HTTPS,
FTP \ SFTP, Virtual Machine Server \ Hypervisor \ ProxMox, Backup solutions, and more...

*Note, if your planning a VMWare server (Page 5 \ advanced) or any kind of Hypervisor, see this disclaimer before you begin

*Note, if your planning a FTP or SFTP server (Page 3), see this disclaimer before you begin

1
No table-of-contents, it is assumed you will follow this how-to, step by step, as each page builds off the previous ones. If you
skip a page, you could miss an installer or file called for later in the how-to. I hope you will find this how-to helpful. I will try
my best to respond via email at kevinthecomputerguy@woodel.com if you have questions, I will try my best to respond to
all of them, but please try my BLOG first. With any luck that will turn into a knowledge base.

My stuff will always be free for personal use, but if you would still like to contribute, you can donate money towards this, or
one of my other how-to's

*Special thanks to:

Melissa Elwood, Bill Manges, Mike Juan, Julio Cuz, Nathan Roy, Tim Ragusa, James Mitchell, Peter B., ggaron, till,
sammydee, Mihai Marinof, Mad Professor, John Rowe, Lani78, Jordan Sissel, Jerome1232, Drdos2006, and of course
Jamie Cameron (Webmin \ Usermin) Putty, Cobian Backup, Debian Linux, Ubuntu, Ubuntuforums.org,
Mcgarrahancomputers.com, Tekzilla, HAK5, Proxmox.com, Berkhamsted Web Design, Go2linux.org, Protonic.com
And the millions of people that make Linux possible.

- OK... Lets begin

Although this guide was created using Debian 5, it will also help Debian 6, Debian 7 and Ubuntu users. You will run into some
problems with Ubuntus firewall (UFW) and Ubuntus Network Manager. Ubuntus App Armor and the way Ubuntu restarts
services. Both now come with nano as the text editor and not vim. So you will need to install vim (apt-get install vim)

But these arent major problems, the work-a-rounds and differences are fairly minor and easy to overcome.

You can email me or read my blog for help. For a step-by-step install, please use Debian 7

Start by downloading and burning the latest stable Debian .iso from Debian.org

(32 bit PC)


http://cdimage.debian.org/debian-cd/7.2.0/i386/iso-cd/

(64 bit PC) *Dont worry that it says AMD, it also works for 64bit Intel.
http://cdimage.debian.org/debian-cd/7.2.0/amd64/iso-cd/

(Multi-Arch) *A larger CD with both 32bit and 64bit on it.


http://cdimage.debian.org/debian-cd/7.2.0/multi-arch/iso-cd/

2
i386 = 32bit
amd64 = Both Intel 64bit processors and AMD 64 bit processors.
Multi-Arch = A larger download with 32bit and 64bit on the same CD.
Net Install = A smaller CD that depends on the internet to complete the install.

The links above get old and retired\archived very quickly, with each new revision.
If the links above die, simply navigate to the debian.org homepage, Stable Downloads Section.

* You only need CD #1 , if there is more than one to choose from

3
Or from my sever

(32 bit PC, Net Install)


http://woodel.com/my-linux-how-to/debian-7.2.0-i386-netinst.iso

(64 bit PC, Net Install) *Dont worry that it says AMD, it also works for 64bit. Intel
http://woodel.com/my-linux-how-to/debian-7.2.0-amd64-netinst.iso

(Multi-Arch, Net Install) *A larger CD with both 32bit and 64bit on it.
http://woodel.com/my-linux-how-to/debian-7.2.0-amd64-i386-netinst.iso

*Again due to upgrades some versions may no longer be available, if you run into this just use
the links to my server, or go to Debian.org, find the stable section, and find the newer link.

Before you begin the install Remove any unwanted \ unneeded hardware.
such as zip drives, sound cards, etc

Disable any useless BIOS options, such as com ports, integrated sound cards, etc
Disable any Keyboard or Mouse warnings
Disable any power management features
If your BIOS has an OS option, choose Other

Remove all hard drives except the one youre planning on being the OS drive.
This will ensure you do not format the wrong drive, and help make this how-to a little
smaller and easier to follow.

It is assumed you only have one network card at this point. If you have more than one, you
may want to remove or disable them. The second NIC wont be used until the
optional \ advanced sections, and can interfere with the eth numbering and
firewall setup pre optional \ advanced section.

4
Boot the computer off the Debian install CD, and choose Install

Do not choose Graphical Install you dont want that, just choose Install.

Everything in this how-to is case sensitive, so if I use lower-case, then use lower-case.
If you see something in capital letters, make sure to use capitals.
Basically copy it exactly as you see it.

5
6
7
8
Choose a unique name for the computer, I did deb32server1
To me that means, Debian, 32bit, Server, first one of several

Think of it as your computers first name, and on the next page we will set the last name.

You can make something up, we will be referring to this computer by its IP address anyway
so the name is somewhat meaningless, as long as the name is unique, so that you dont have
a same name conflict with another computer on your network.

9
You can even use deb32server1 just like I did

This is private to your network, it doesnt matter if you copy me exactly


it may even help make the how-to a little easier to follow.

Choose a domain name for the computer, I did diy.lan

Which to me means, Do It Yourself . Local Area Network

You can make something up. Its almost like a last name for your computers.
Its totally private to your network. But just like your family, youre going to want to have all the same

10
last name on all your computers.

Which makes this computers full name deb32server1.diy.lan


Which to me means
Debian, 32bit, Server, first one of several, on a custom do it yourself Local Network

We will be referring to this computer by its IP address for now anyway, so this
isnt too important at this point.

Much later on in the how-to, when we setup a Local Dynamic DNS server
(which is optional and advanced) you might find it easier to follow the how-to, if you also use diy.lan

11
It doesnt have to end with .lan you could make something up.
I just think it will help the flow of the how-to if you chose something ending in .lan

Choose your time zone

12
Choose Guided use entire disk

13
If you removed all the other hard-drives pre install, you should only see one option here.

14
Choose All files in one partition

15
16
17
Choose a password for the account named root (choose a very strong password here)

18
Created a second user, so you dont always have to login as root.
Here I used the name wood

You can use anything you want

19
I like to keep the username the same as the full name, this can help avoid confusion later on.

20
Choose a password for the account you just created
(Choose a very strong password here, this user will have more rights than a normal user)

21
22
23
24
25
You should be able to leave this blank, and click Continue
If you have a proxy, chances are you would know what to do here anyway.

26
27
Using the Space bar on your keyboard, un-check Desktop environment.
Make sure to un-check everything. With the exception of Standard system
We will install most of these things later in the how-to, dont be tempted to click on them now.
And most importantly, do not choose Desktop environment.
This is a server how-to, not a desktop how-to.

28
29
Remove the CD, and press Continue

30
Did you see this screen? If not you probably didnt remove the CD.
Make sure you are not booting off the CD anymore.

31
If everything goes right, you should get a lot of text on the screen
and finally a login prompt like this one.

Please ignore that mine says debian-1 at the bottom left. I am just at a different computer today.
If you were expecting that to say; deb32server1 login : you are right
I am just at a different computer today.

Your screen will say your computer name, followed by a login prompt

This wont interrupt the flow of anything at this point

32
Login as username root with the password you specified during setup.
*Note, if you cant login as root, login as your username, and type sudo before every command

33
Type vim /etc/apt/sources.list

Then hit the Enter key on your keyboard

(there is always a space after vim)

*Note, if you get an error, some versions of Linux dont come with vim, you can install it by typing apt-get install vim

34
* If you dont see anything on the screen (the contents of that file) then you typed something wrong.
** When you see the screen above, you know you typed it correctly

Press the insert key on your keyboard to allow you to type inside the file

Use the # symbol to comment out un-wanted lines

Comment out any lines that have cdrom in them

When you are finished press the Esc key on your keyboard, this will take you out of insert mode
and should move your cursor to the bottom left of the screen

35
Then press the : key
You should see this symbol on the bottom left of your screen

Then type wq!


So that it reads :wq! In the bottom left corner of the screen

Then press the enter key

It should then save the changes to that file, and exit you back to the command prompt.
It will say something like filename written

You wont need to use that vim editor very often after we complete the setup. But if youre stuck
on it and cant get it to work. Do a Google search on Linux vim editor there should be some
good examples that will help you on the previous page. Only if youre stuck.

36
What that did was tell the computer to not use the CD when looking for software.

Now run apt-get update so it will both realize your cd-rom changes, and go look on
the internet for the newest software sources. This only looks for new sources
it doesnt actually go get them.

(there is always a space after apt-get)

37
As long as youre connected to the internet, you should see something like this.

This next step is optional. After an apt-get update you will almost always want to
do an apt-get dist-upgrade

Thats the command that actually goes out and installs the newest versions.

But if you want your screens to match mine exactly, you might want to hold off on
this step until your further into the setup and more comfortable with the screens.

I will leave this as optional right now, and rest assured we will perform one later.

38
Newer is better, but doing it now could put you at a version that doesnt match this how-to.
Pick your poison :- )

If you have chosen to upgrade now, here is how.

Type apt-get dist-upgrade and it will go get any approved updates that are available for your computer

(there is always a space after apt-get)

If it finds something, you will probably be asked to type Y or YES and hit enter.

Either way, youre ready for the next step.

39
Now we are going to install some packages (software)

Type apt-get install samba samba-common-bin ssh openssl dnsutils apt-show-versions

(there is always a space after apt-get)


(there is a space between each installer above)
(this is the hard-way, later on in the how-to we will get into copying and pasting)

Type it word for word

40
Its going to tell you that you need some additional installers, and it will prompt you to go get them.
When asked make sure you type Y for yes and hit enter.

*note, you do not have to specify whether you want 64 or 32 bit installers, apt-get will decide for you
based on your system. This is an excellent feature.

41
The install of Samba is going to ask you a few questions on screen. A GUI box will come up, without
any mouse support. So use the TAB key on your keyboard to move around it, and the enter key to
choose things like next, continue, and OK.

Enter the same name you did before.

Im going to use diy.lan

42
Choose No to this

You are almost ready to remove the keyboard and the monitor. We just need to set a static IP address
(or reserve a DHCP one)

If you type ifconfig and hit enter, it will show your current eth0 (Ethernet) IP address
(inet addr) as well as your MAC address (HWadrr)

43
You should see something like this.

44
If youre familiar with setting up DHCP reservations from your router, you just need the MAC address
and you will know what to do from here.

If youre not familiar with how to do that and just want to set a local static IP address, here is how.
Note, later on in this how-to its assumed you have a static IP address, so you may want to setup a
static address, even if you know how to do DHCP reservations.

First chose an IP address that isnt part of your DHCP scope. For example, if your router is handing out
IP addresses in a pool of 192.168.2.2 through -192.168.2.100 then you wouldnt want to use any of those
available 98 addresss in that pool (.2 through .100)

But you could safely choose anything above that pool, such as 192.168.2.101, 192.168.2.102, etc
just as long as it isnt in the range of the available IP addresses to the DHCP server pool of addresses.

45
If you dont know how to check what IP range your router is handing out, just add 100 to the IP address
you currently have. This is sloppy, but will most likely work. For example, if you automatically got an
IP address of 192.168.2.72 its probably safe to set a static address of 192.168.2.172, as most address
pools are not larger than 100 (100 higher than what you currently have) This is sloppy, but should work
if this all sounds French to you.

Giving this a lot of extra thought can help with future problems, for example on my network
anything above a .100 address means its a server or printer of some kind. Anything above .200
means its wireless. Setting up meaning to these can be of great importance later on, as your
network starts to grow.

If all those numbers look French to you, just remember to make sure you give your Linux box an IP
address that is on your same network. For example

If youre on a 192.168.2.xxx network

address 192.168.2.111 (replace 111 with the IP address you want)


netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1

If youre on a 192.168.1.xxx network

address 192.168.1.111 (replace 111 with the IP address you want)


netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

If youre on a 192.168.0.xxx network

address 192.168.0.111 (replace 111 with the IP address you want)


netmask 255.255.255.0
network 192.168.0.0

46
broadcast 192.168.0.255
gateway 192.168.0.1

If youre on a 10.10.10.xxx network

address 10.10.10.111 (replace 111 with the IP address you want)


netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1

To enter a static IP address type vim /etc/network/interfaces


(there is a space after vim)

You should see something like this

47
Find the area that says
iface eth0 inet dhcp

hit the insert button on your keyboard

Change it to say static instead of dhcp and add the following lines

iface eth0 inet static


address 192.168.2.111 #(the IP address you want)
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1

Thats it, you just have to tell the editor to save it

48
Press esc on your keyboard, this should drop your cursor to the bottom left of the screen.

Type :wq!
Press enter on your keyboard

If you did it correctly it should say something like filename written

And return you to the command prompt.

Once you are back at the command prompt, type reboot and hit enter on your keyboard.

Your system should reboot, and load up the new ip address.

After you login again as username root , type ifconfig and make sure eth0 is getting
the IP address you specified.

49
Now go to different computer, running Windows, and make sure you can ping that IP address.
Type ping 192.168.2.111 (or whatever IP address you gave it)

If youre not familiar with ping on a Windows machine. Just click on the start button
and type cmd

50
In the black DOS like window, type ping 192.168.2.111

Make sure it replies back from the IP youre pinging. If it comes back saying something like
Destination Unreachable go back and figure out whats wrong.

Look for typos


Maybe your network card is eth1, and not eth0

51
Dont continue with the how-to until it replies.

Now go back to the Linux box, and make sure youre connected to the internet
try to ping www.google.com

It should reply back something like this, the numbers dont really matter, just make sure its replying.

You can hit control + c on your keyboard to make it stop pinging

Thats the Ctrl key and the C key, hold down Ctrl and press the C key

52
If it replies, youre connected to the internet

If it doesnt reply, check your internet connection.

Make sure in your /etc/network/interfaces file, the IP address of your gateway is the same
IP address as your router.

If you have checked everything, and determined you are having a DNS issue.

And that your Linux box is the only computer having this issue

You can edit the file /etc/resolv.conf by typing


vim /etc/resolv.conf

And add some name servers

You should see something like this

53
I got these numbers from dyndns.org
http://www.dyndns.com/services/dynguide/readme.html

They provide some awesome name servers. Another good one is OpenDNS
http://www.opendns.com

And just like before, to save and exit its

Escape
:
wq!

Enter

Or you can use the name-servers (DNS servers) from your ISP, that youre actually paying for.
To figure out what your name-servers are from your ISP, launch another cmd window from
your Windows computer, and type ipconfig /all

54
Look towards the bottom, for DNS servers, and use those IP addresses as
your nameservers in /etc/resolv.conf

55
Once you can ping your Linux box, and your Linux box can ping www.google.com

You can go back over to your Linux box and shutdown by typing halt p
It will turn off, and you can remove the monitor and keyboard.

You may want to just remove the keyboard, and leave the monitor plugged in for now.
So you can watch it power on \ boot up the first time, and make sure your computer isnt complaining
that it cant find the keyboard. If it complains about the keyboard, go into your BIOS and tell it not to
warn about missing keyboards or mice.

Once you sure it will boot up without a keyboard, you can go ahead and remove the monitor.

Fight any temptation to plug the monitor and keyboard back in. doing so will hurt your learning
experience, as its no longer needed. We will be accessing and managing the computer remotely from
here on. So the rest of this how to will be completed remotely, using a Windows computer.

You will be using two forms of remote management tools to access the Linux server. Putty is one of them
and Webmin is the other. You will be using Webmin most of the time, until you get more familiar
with Putty.

You can download Putty from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Or from my sever http://woodel.com/my-linux-how-to/putty.exe

*Due to upgrades some versions may no longer be available, if you run into this just use the links to
my server, this will ensure matching print screens, or go to http://the.earth.li/~sgtatham/putty/latest/x86/
and find the newer link.

You have to choose save, not run or open It isnt an installer, its a self contained exe, and has
to be saved to the hard drive before running.

56
We will use Putty to install Webmin onto the Linux box. Then you wont need Putty again until
much later in the how-to.

Launch Putty, and enter the IP address of the Linux box.

You should see something like this

57
Everything else is already configured correctly, just enter the IP address of the Linux box and
click Open

The very first time you connect, it will ask you if you want it to remember that you trust this computer
you can say yes.

If successful you should get a black box asking you to login. Login as username root.
(We will continue to use root until the setup is complete)

You should see something like this

Once logged in, type or copy and paste the following commands

To paste into Putty Window, all you have to do is right-click

Once it is pasted into the Putty window, press the enter key on your keyboard. Your Linux box
will run the pasted or typed commands.
Say yes if prompted.

58
Paste in the following command, then press enter.

apt-get install apache2 vsftpd quota

Paste in the following command, then press enter.

apt-get install rssh etherwake ntpdate libio-socket-ssl-perl

Paste in the following command, then press enter.

apt-get install monit ethtool rsync

This should take awhile to complete, after it finishes

Type the following command

mkdir /options and hit enter on your keyboard

59
This stands for make directory and will make a folder called options on the root of the hard drive.
We are going to use this folder to download the webmin installer into.

Type cd /options and hit enter on your keyboard

This will put you into the options folder

Next we will use the wget command to download the webmin installer.
wget + the full path to the location of a website file, will download that file

60
Type or paste wget http://prdownloads.sourceforge.net/webadmin/webmin_1.660_all.deb

and hit enter on your keyboard.

(there is a space after wget)

Or from my server wget http://woodel.com/my-linux-how-to/webmin_1.660_all.deb

*Due to upgrades some versions may no longer be available, if you run into this just use the links to my server
this will ensure matching print screens, or go to webmin.com and find the newer link by right-clicking the download link, and viewing its properties.

61
Once you have the http path to the Webmin installer, type wget http://xxxxxxxxxxxxxxxxxxx and hit enter

62
You should see it start to download the file, and will show you the download progress.

You should see something like this

It will download it to the current folder that youre in, so it just downloaded it to the /options folder

When it finishes downloading, type dpkg i webmin_1.660_all.deb and hit enter on your keyboard. or dpkg -i webmin_x.xxx_all.deb (if
new name or version)

Or dpkg i /options/webmin_1.660_all.deb or dpkg i /options/webmin_x.xxx_all.deb (if new name or version)

That stands for Debian Package Install, and will install the Webmin program packaged for Debian.

If it tells you youre missing something, just type

63
apt-get -f install

or
apt-get install -f

and hit enter on your keyboard. It will then go get anything it needs to finsh the install.

*If that doesnt work, try typing in everything. apt-get install all those things above it says your missing and hit enter on your keyboard.

It will remember you were trying to install Webmin, and will finish installing it after any missing packages are installed.

Still cant get Webmin to install? Try watching the video

You should now have Webmin installed, and can exit out of Putty
by typing exit or logout

To login to Webmin, open Internet Explorer or Firefox and type your IP address, followed by :10000
proceeded by https://

https://the-ipaddress-of your-linux-box:10000

For example if your Linux box IP address is 192.168.2.172 you would type
https://192.168.2.172:10000

*Note, If you have been following along, you probably expect my IP address to be 192.168.2.111
or 192.168.2.172 (your right)
Im just at a different office and server today.

In the example below, this Linux box is now 192.168.2.1 so I need to type
https://192.168.2.1:10000

You would type the same thing, but with your IP address instead.

64
You will probably get a warning telling you not to trust the webpage. You can ignore this, its completely
secure. Its just your using a self signed ssl certificate, and not a paid one. This is still completely
secure from within your internal network.

If you have problems with this later on, switch to Firefox. With Firefox you can choose to
save the certificate so youre not always prompted. In Internet Explorer you just have to
choose Continue to this Webpage every time.

You should see something like this

65
Its safe, just click continue

66
You should get to a screen that looks like this

With all of your management tools are on the left. You can do almost everything from here,
Webmin is an extremely powerful tool.

I like to use a combination of Putty and Webmin to administer my Linux servers. But since this how-to is about doing it all
through Webmin, we will stop using Putty, and start using the SSH module within Webmin when needed. The copy & paste
works best in Putty, so if you see me switch back to Putty, its because I want you to copy \ paste a command, simply to
avoid a hand cramp or typo.

I just wanted you to have the experience of using Putty, in case you lock yourself out of Webmin, and to hopefully influence
you to learn Putty, and learn command line later on down the road.

67
First thing we have to do is remove the current SSH module that came with Webmin, it has outdated ciphers in it, and
will not work. To remove the SSH Webmin Module, click on Webmin in the top left corner and choose
Webmin Configuration

Next click on the icon that says Webmin Modules

68
Once inside the Webmin Modules page, click on the delete tab towards the top

69
Choose SSH Login and then click on Delete Selected Modules

*Make sure you dont accidently choose SSH Server, its SSH Login you want to click on

70
Put a checkbox in the Remove from users and reset control settings and then choose Delete

71
If successful, it should say the module was successfully deleted

Thats it, its uninstalled. Now we have to install the new one.

72
Click on Webmin in the top left corner and choose Webmin Configuration again

Click on the icon that says Webmin Modules

Make sure youre in the Install tab of the webpage

And choose from ftp or http URL

73
And paste the following URL into the box to the right

http://www.webmin.com/download/modules/ssh2.wbm.gz

Or from my server http://t3.woodel.com/my-linux-how-to/ssh2.wbm.gz

*Due to upgrades some versions may no longer be available, if you run into this just use the links to my server, this will ensure matching print
screens,
or go to webmin.com and find the newer link.

Click on Install Module and Webmin will go get the module file, and install it

If successful you should see something like this, telling you it put it in your access control list, under the category Others

74
Click on the Others category on the left menu and choose SSH2 Login

The SSH2 Module will begin to open

If youre ever prompted to install Java, its talking about the web browser on your Windows PC, not Java for your Linux box. Just go
to http://java.com from your Windows PC and run the install if needed. If youre using Firefox, you may need to do this after every time
you upgrade your browser.

Once you see the MindTerm logo below, youre good to go.

Just hit the enter key on your keyboard, and you can login using username root

75
If you still dont see SSH2 Login, try hitting the Refresh Modules button at the bottom left, and or looking under Un-used Modules.

If you dont like this single window view, you can click on the Module Config button and tell it to open in separate window.

76
Make the following changes

Then Click on Save and the next time you launch the SSH2 Module, it will open in its own little window.

77
Here is what it will look like in separate window mode

78
Click enter on your keyboard, and login as root

79
This should look familiar to you, it works almost the same as Putty.

When youre done, type logout and press enter on your keyboard.

Wait 10 seconds for the logout to happen, then you can hit the X in the right hand corner to close the window.

This will be helpful when you want to run a command, that answers you back, asking a question, like are you sure or hit yes to continue

Webmin has a built-in command shell, that works awesome. And most commands have a built in yes option that can answer some prompts.
But it doesnt allow you to interact and answer questions the way this SSH2 Module and Putty can. Putty allows you a much wider copy\paste
range than this SSH2 module. So if youre a copy and paster, you will like Putty much more (right-click = paste in Putty)

80
Again, I would encourage you to use Putty instead of this, but this particular how-to isnt about that :- )

For the next step we are going to use Webmins built in command shell. Its super convenient when you dont need to interact with the answer.

Click on Others and click on Command Shell

We are going to execute the command mii-tool

Type mii-tool in the box and then click Execute Command

You should see something like this

81
The grey area is where it will show you the results of the command.

We need to make sure youre getting a full duplex connection and not half duplex

*Note, If your following this guide using a Virtual Machine, you can skip any mii-tool errors, Virtual Machines dont have this flaw, and mii-tool
errors can be ignored.

If yours answers back full duplex then youre all set, and you can skip this part of the how-to.

If it says half duplex and its not a virtual machine, then do not skip any pages

If you simply got an error, that means mii-tool doesnt support your network card, this isnt a problem. Just run the command ethtool eth0

Click on Others click on Command Shell and Execute command ethtool eth0

(there is a space after ethtool)


(thats eth ZERO, not eth OH)

82
If it says Duplex: Full then your good to go, you can skip the commands below.

*note, If your following this guide using a Virtual Machine, you can skip any ethtool errors, Virtual Machines dont have this flaw, and ethtool errors
can be ignored.

If it says Duplex: Half and its not a virtual machine, then do not skip any parts, you must fix this.

If mii-tool told you that you had a half duplex connection, then the fix is to add the following line to the /etc/rc.local file

mii-tool F 100baseTX-FD eth0

If that doesnt work, try ethtool, ethtool is better for newer network cards anyway.

83
If you got an error running mii-tool, and or if ethtool eth0 told you that you had a half duplex connection, then add the following line to the
/etc/rc.local file

ethtool s eth0 speed 100 duplex full autoneg off

Here is how to edit that file the Webmin way, using the File Manager
(youre going to like this)

It makes everything a lot easier

Click on Others and then Click on File Manager

84
Click on the etc folder and then in the right side window, scroll down until you find the file name rc.local
This file is executed at startup, so we can use it to make changes that happen every time the computer restarts.

Single click on the rc.local file (do not double-click) double-click will try to download the file, that isnt what you want.

Single click the file, so that it is highlighted, then using the buttons along the top, choose Edit

A new window should open, and will let you edit the contents of that file.

You should see something like this

You can type directly into that window

If mii-tool told you that you had a half duplex connection, copy and paste this
above exit 0

mii-tool F 100baseTX-FD eth0

(if you know the card is giga-bit, use 1000base in place of 100 in these commands)

85
You should have something like this

Click Save & Close and thats it, the file is edited, all you need to do is reboot, I will show you how to do that on the next couple pages.

If mii-tool gave you an error and or ethtool eth0 told you that you had a half duplex connection, then edit the rc.local file and copy\paste this instead

ethtool s eth0 speed 100 duplex full autoneg off

86
Click Save & Close and thats it, the file is edited

(if you know the card is giga-bit, use speed 1000 in place of 100 in these commands)

If you have skipped to this page, you missed how to use the Webmin File Manager to edit files.

We are going to do it again so that everyone is on the same page.

Click on Others and then Click on File Manager

87
Click on the etc folder and then in the right side window, scroll down until you find the file name rc.local
This file is executed at startup, so we can use it to make changes that happen every time the computer restarts.

Single click on the rc.local file (do not double-click) double-click will try to download the file, that isnt what you want.

Single click the file, so that it is highlighted, then using the buttons along the top, choose Edit

A new window should open, and will let you edit the contents of that file.

88
You should see something like this

You can type directly into that window

Somewhere above the exit 0, copy and paste this

# hello world

You should have something like this.

89
Click Save & Close and thats it, the file is edited

We put a # in front of hello world so that it would ignore that line, Linux ignores lines that start with a #
And in most cases, will ignore lines that start with a ;

Now we are going to use Webmins Bootup and Shutdown module to reboot the computer.

Click on System click on Bootup and Shutdown then scroll down to the bottom and click Reboot System

90
It will ask you if your sure, tell it to do it, then computer should reboot, at that point your screen will be un-usable while it reboots. Just wait about 5
minutes
and you should be able to use Webmin again.

Assuming the reboot went OK, lets go back to the File Manager and edit some more files.

Click on Others and then Click on File Manager

91
We need to disable IPv6, this how-to later on assumes youre only using IPv4

Lets edit the file /etc/modeprobe.d/aliases (*If youre using Ubuntu, this file may not be needed, or may be called aliases.conf)

(you can tell by the line above its a file named aliases inside the folder called modprob.d which is located inside the etc folder.

92
Change the line

#alias net-pf-10 ipv6

To

alias net-pf-10 off

93
Make sure you remove the # from the beginning, or Linux wont read it.

Click on Save and Close

Next lets edit the file /etc/modeprobe.d/blacklist (*If youre using Ubuntu, this file may not be needed, or may be called blacklist.conf)

94
Adding the line

blacklist ipv6

Click on Save and Close

So far we have stopped it from loading, and stopped it from coming back after upgrades.

We are done with disabling IPv6, and can move on to something else.

It is good practice to make comments in these files, of the changes you make, like

#Changed by Kevin, from ipv6 to off

95
But since you have this how-to to refer back to, there isnt much point in making any comments.

But it is a good habit to get into once you complete the how-to, and start editing files on your own.

This is a good time to mention a few quarks about computer names in Linux.

The Webmin installer probably told you that you can access your machine from https://your computers - name:10000

And you probably found that didnt work.

This isnt a Webmin problem. Anytime you switch from DHCP to static, or switch from one static IP to another, there are a few files you need to
edit. As these files are expecting to get this information from the DHCP server, but static IPs dont communicate back with the DHCP server.

/etc/hosts (replace 127.0.1.1 with your Linux boxes static IP address)

*not to be confused with 127.0.0.1 you want to edit\replace 127.0.1.1

Click on Save and Close

Then edit

96
/etc/hostname (make sure its right)

Then edit

/etc/resolv.conf (make sure your router is listed as one of the nameservers, and that its searching the right local domain)

97
Click Save and Close

Reboot your Server, and the computer name should now be playing nice with your static IP address. This is just the foundation, it wont actually
come
into play until we configure Samba later on in the how-to, but you now have the right settings for using names along with static IP addresses.

Next lets familiarize ourselves with the Upload and Download module for Webmin.

This isnt a very fast way of sending \ receiving files, because of the https encryption Webmin is using. That level of encryption is an awesome thing,
and it
keeps your passwords very safe from prying eyes. But inside your local network it can be a little over-kill, and will really slow you down.

But once we cover it, we can move on to the faster and more convenient ways, like ftp, http, and Samba file shares.

Inside of Webmin, click on Others and then Click on Upload and Download

98
You should see something like this

This module is pretty easy to use, just make sure you change the

Download to file to directory field to be /options

This will make it much easier to find files that you upload \ download to the Linux box.

Lets walk through it once, click on the Upload to Server tab at the top

99
Assuming the file you want to upload is located on your Windows PC. Just make sure to change the
Download to file to directory field to be /options

Then browse to the file you want to upload

Click Upload and it will upload it to the /option folder on your server.

You can then browse to it using the File Manager

Click on Others and then Click on File Manager, and then click on options

100
Or if the file you want to upload to the server is located on a the web, and not on your Windows PC

Go back to the Upload and Download module, and choose the Download from Web tab instead.
They work the same way, the file will end up in your /options folder.

Just make sure to change the


Download to file to directory field to be /options

And then paste the URL to the website\file you want to download
Into the URLs to download field

101
You wont always know the URL to the file you want, but you should be able to right click on it from your Windows PC, choose properties,
and copy and paste the URL into the URLs to download field

102
Paste it into Webmins Upload and Downloads, URLs to download field

103
You probably noticed how very slow that was, thats again due to the encryption, we will speed all that up later on in the how-to

Using the File Manager, you should be able to see your newly uploaded file

Lets edit some more files

104
Lets edit the file /etc/ssh/sshd_config (to limit the users who are allowed to SSH)

Make sure there is a d in there, this isnt the same as ssh_config, you dont want that, you want to edit sshd_config

You should see something like this

105
Somewhere towards the bottom, add the following line

AllowUsers root wood

Replacing wood with whatever username you created during the install

Anyone that can SSH can browse all your folders and list all your files, so it's extremely important to limit that.

Basically dont give anyone but yourself SSH access.


Dont give anyone but yourself Webmin access

Later in the how-to we will cover rssh for users


That stands for Restricted SSH, and does work as promised.

106
Later in the how-to we will cover Usermin
This is a Webmin like interface, but can be locked down for users

But basically, dont ever give someone else Webmin or SSH access, it not a good idea until you have mastered Linux and are comfortable with file
permissions and jailing home directories.

We will even be taking access away for root later on in the how-to. That way youre not ever typing that password over the internet. But for now,
during the initial setup on your local network, its ok.

Next we are going to install the second hard-drive (the data drive) and use Webmin to mount it.

Everything in Linux is treated like a file or a folder. So when you are adding hard-drives, you go through a mounting process, which makes that drive
appear as a folder amongst the other folders on your system. This can be a little strange at first, but if you do some good planning on your folder
names,
it can help with some of the confusion.

Lets start by powering off the Linux box. You do this the same way you restart it using the Bootup and Shutdown module, but just choose
Shutdown System instead of Reboot.

107
This how-to assumes you know how to physically install the second hard-drive, go ahead and do that now. When you done, use the
computers power button to turn it back on.

Wait about 5 minutes then you should be able to get back into Webmin.

Using the File Manager module create a folder called /mymounts

108
As you can probably guess by the name, this folder is going to contain drives that you have mounted. The system mounts a lot of drives and
partitions for you, as well as the CD drive, Floppy drives, etc to help avoid some of the confusion of mount points, you will know anything inside
this folder is actually a separate device (hard drive or partition) that you mounted yourself, this will help refresh your memory every time you
navigate to it.

The forward slash / just tells it to be its own folder, at the root, on the beginning of the drive, and not a subfolder of some other deeper folder.

Just make sure to choose the new folder button, and not new file, and dont be tempted to click on mount, that isnt want you want

109
You should see something like this when youre done

110
Now go inside the mymounts folder and create a folder called d2p1

111
You should see something like this when youre done

d2p1 stands for (drive two partition one)


Its the second drive in the system, and its the first partition on that drive

So what this folder structure means is. Its something you mounted yourself, because its in the mymounts folder. And its the second drive inside the
computer, and is the first partition on that drive.

112
(If you had a second partition on the second drive, you would mount that in
/mymounts/d2p2) a third drive would be /mymounts/d3p1/ and so on

We need to format the second hard-drive. We need to so this before mounting it, because when its mounted, its considered in use. So pre-mounting,
lets format it.

Using the Webmin module Partitions on Local Disks

Click on your second hard-drive, if you have followed the how-to exactly, it will be the second one in the list (B)

Click Device B (assuming that is for sure your second hard-drive)

You should see something like this

113
Click on Number 1
(There should be only 1 number, if there is more than 1, click on them and delete them)
(Triple check you are on Device B though!)

You should see something that looks like this

114
Change the Type to Linux
Then click Save.
This will kick you back to the main screen again, where you will have to click on device B again

Click on device B again


And next to the Create Filesystem button change that to Linux Native
(Linux Native = filesystem ext3 as of the date of this writing)

Write down your device file name, on mine its /dev/hdb1


This stands for device , hard drive B (B meaning 2nd) , 1 (meaning first partition)

If you have a newer computer, it will most likely list them beginning with an S (example sdb1)
Meaning it thinks it a SCSI or SATA disk.

115
Then click Create Filesystem

You should see something like this.

Dont check for bad blocks, it takes way too long and the webpage will time out

We will talk about how to check for bad blocks later in the how-to

Then click on Create Filesystem

You should see something like this

116
This can take hours to finish

If it fails, just run it again.

If successful, you should eventually see command complete at the bottom of the screen.

117
Now that its installed and formatted, we can mount it.

Using the Webmin module Disk and Network Filesystems

118
Change the Type box next to the Add mount button to
Linux Native Filesystem ext3

119
Then click the Add mount button

You should see something like this

120
You should see something like this, Make the following changes

In the Mounted As field type /mymounts/d2p1


Change Check Filesystem at boot to Check First

121
In the Other Device field, check the button so it knows to use that field, and put the actual device name of the second hard-drive.
*If you forgot what is was, refer back to previous section.

On mine its /dev/hdb1


This stands for device , hard drive B (B meaning 2nd) , 1 (meaning first partition)

If you have a newer computer, it will most likely list them beginning with an S (example sdb1)
Meaning it thinks it a SCSI or SATA disk.

If you get confused just refer back to the previous section, it will show you how to check what your device name is.

Change Use Quotas to User only

122
If successful, you should see it listed in the next screen

123
Sometimes in this how-to I will have you do things the hard way, or the long way. When it will help you to understand some of the more confusing
tasks.

Like for instance you probably already wondering why I didnt have you install Putty much much earlier, so you could have copied and paste straight
from this how-to. But then you wouldnt have learned how to type them correctly.

You probably also saw a few options that would have made mounting easier, like this button

But then you wouldnt have learned the \dev\ device names

124
Or maybe you saw this window during the format

But if you would have used that mount button, you wouldnt have seen how to enable the Quotas.

So even if you see a shortcut, try to follow the how-to exactly, because Im going to make assumptions later on in the how-to, that certain things are
already enabled. And if you skip any of these steps, you could get lost and have to start over.

You done with the mounting part, the second hard drive is now accessible from the File Manager module, under /mymounts/d2p1/

125
Just for practice, lets put a file in that folder, this will be an example of putting files on your data drive (hard drive #2)

Using the File Manager, copy and paste a file from the /options folder to the /mymounts/d2p1 folder

126
Click the file once to highlight it, then click Copy from the toolbar above

Navigate to the /mymounts/d2p1/ folder, and paste it using the Paste button from the toolbar above

If successful, you should see something like this

And that would be an example of saving a file to hard-drive number 2

127
If you ever need to un-mount it.

(You shouldnt ever need to do this) except maybe to re-format it or scandisk it.

Just navigate back to the Disk and Network Filesystems module, and click on /mymounts/d2p1/

Check the Save option so it keeps a record of it, then click the Unmount option

128
Then click Save at the bottom, and it will un-mount the drive.

And because you checked the save option you can easily re-mount it by coming back to this page and choosing Save and mount at boot and
mount and then click Save at the bottom.

Thats it for mounting and un-mounting. Again you shouldnt ever need to un-mount it, but you know how if you need it.

Next lets make sure your Linux box has the right time, and set it to automatically sync up with a time server at midnight each night.

Using the System Time module, set the time and date for both fields to be correct. You only have to do this manually once, keeping in mind that
its a 24 hour clock.

129
We have to do it manually once, because the sync feature doesnt work if the time is off by more than a couple of hours, so we do this to ensure the
time is almost right, so the sync will work and always keep it accurate.

Dont be tempted to use the Set system time to hardware time or the other one, just set each one manually.

This should work, but if youre getting errors manually setting the time you can do it the command line way like this (using the SSH2
module) ntpdate pool.ntp.org

Once both are set right, navigate to the Time server sync tab at the top right.

130
You should see something like this

131
Set the Timeserver hostname or address field to the timeserver closest to your area
1.us.pool.ntp.org
*If youre having DNS issues you can use IP addresses here until you fix that.

Check the box that says Set hardware time too

Check the box that says Yes, at times below

Check the box that says Simple schedule and Daily at midnight

You can ignore all the time tables below, because youre using the simple schedule above.

Click Sync and Apply at the bottom of the screen, and your all set

You should be able to navigate back to the Set time tab at the top, and see that it did in fact set the correct time for both fields.

Youre all done with setting the time.

*If you get errors about the hardware clock not being set, you may have to enable the following at boot time, and then reboot. Only do this if you are
experiencing problems with the hardware clock.

Navigate to the Bootup and Shutdown module, place a checkmark next to hwclock.sh and click Start Now and on Boot

132
Thats about it for the time settings.

Next lets make sure your MTU is set right on your network card. You usually wont see a problem here unless you have multiple NICs, but let
make sure anyway.

Using the Command Shell module, run the following command


ifconfig eth0 then click the Execute command button

133
You should see something like this

For most purposes your MTU should be 1500, if yours comes up right you can skip this part of the how-to.

It should have found the right setting for you automatically, Ive only see it get confused when there is more than one NIC.

134
There are some DSL setups that are not 1500, you will have to Google your current situation to find your correct number. 1500 is right for LAN
setups and all the major Coax Cable Modem ISPs.

This is an advanced problem, but if you have exhausted all other options, here is how you can force the right setting.

Using the File Manager module. Edit the file /etc/network/interfaces and make the following edits

up /sbin/ifconfig eth0 mtu 1500

135
The placement of that line is important, make sure you put it under the iface command, and make sure if you have two or more NICs that you put it
on the right line for that particular NIC. (example, eth0, eth1, eth2, etc..) and of course you would change the command to reflect the NIC
number (example : up /sbin/ifconfig ethx mtu 1500)

Again, this is a more advanced problem, make sure you have exhausted other easier fixes first.

Thats it for MTU

Now we are going to talk about an optional install, called md or mdadm

md is a software RAID, Its amazingly fast but expect a slight performance loss, because in most situations it will be doing every task atleast twice.

You can install this if you want, it does work extremely well. I would just caution you to not use it unless you have a real need for it.

136
For instance, it can group many smaller hard drives together to form one big one. But if you are going to setup a bunch of folders and organize the
drive, dividing the data into categories. (example: Folders such as movies or software or "pix") you could just designate each drive for those
categories, and have a movies drive, and a software drive, and a pix drive, and not have to deal with a RAID configuration at all.

If you looking to just combine 2 or more disks into 1 large disk, use concatenated-linear (often called JBOD Just a Bunch Of Disks) in the RAID
configuration instead of using RAID 0. But again dont waste your time joining smaller disks if youre going to organize the data into categories that
could have fit on the single drives.

RAID 1 is nice, its a 2 disk setup, that is an exact copy of each other. But even with this simple convenient raid, there are many reasons to not use it.
Youre adding another disk to the system, so you just doubled your chances of having a bad hard drive, so its almost like your preventing something
youre causing. And if youre truly worried about backups (as you should be) you should be doing offsite backups, backups to another computer,
external backups. All of these things are superior to raid, because if that computer is involved in a fire, earthquake, flood, etc your RAID is toast.
And if your system gets a virus or the files get deleted or corrupted, youre just going to have a bunch of copies of infected or corrupted and or
missing files.

md software raid is amazing, but dont use it if you dont need it, and don't use it as a backup plan.

Dont get me wrong, I use RAID, I use it everyday, its awesome. Just dont set it up if youre not getting the right use out if it.

RAID 0 Used for extreme performance (Careful, there is no redundancy here, any data loss is permanent, even paid recovery professionals usually
can't get this data back)

RAID 1 Most basic of raids, two exact copies (mirror, 1 can go bad)

Concatenated-Linear (joining of multiple smaller disks to make one large useable one, Careful, there is no redundancy here, but data rescue is
MUCH easier here than on RAID 0)

RAID 5 Used for redundancy (3 disks, 1 can go bad)

RAID 6 Used for extreme redundancy (4 disks, 2 can go bad)

RAID 10 Used for both its performance and the fact that it is also a mirror (4 disks, 1 can go bad, 2 if your lucky which 2 it was)

If you have decided you want to, here is how. If not, you can skip this section.

137
Using the SSH2 Module, or Putty (preferred) run the following command

apt-get install mdadm

It will probably ask you to say Y or Yes

The install will later pop up a GUI window asking you some questions.

138
Using your keyboard, Tab down to the word OK and then hit enter on your keyboard.

The screen will look a little fuzzy and off centered, this SSH2 module doesnt handle these GUI pop ups very well. If your screen is totally un-
useable, you can use Putty instead. But for the most part, you should be able to follow along.

Next its going to ask you which RAID configs you want it to start, erase ALL and type NONE. Because we are going to use Webmin to configure it.

Once you have the word none typed in there, tab down to OK and press enter on your keyboard.

139
If your cursor is giving you a hard time, it might help to type noneeeeeeeee in the field, and then backspace the extra eeeeeee until it reads
just none
Then it will ask you if you want the raid config to start automatically, tab over to YES and hit enter. This will cause an error at boot up, but its ok, its
just telling us we havent configured it yet (we will do that later in Webmin)

140
Once you answer yes, it will take a couple minutes to setup. Then you should eventually get back to the normal SSH2 Module screen, where you can
type halt p to shutdown the computer.

141
Once the computer shuts off you can physically install the additional hard-drives.

Using the Partitions on Local Disks module, format any of the new drives to ext3, just like you did on previous section.

If the second hard-drive you install earlier in this how-to is going to be part of this RAID configuration, then you have to un-mount it first. Navigate
to the Disk and Network Filesystems module and un-mount it. And this time, tell it to not remember the configuration. This will make it available for
RAID.

Once you have them all physically installed, formatted, and un-mounted (if needed) then your ready to configure the RAID using Webmins Linux
RAID module.

If you do not see the Linux RAID module under other, try hitting Refresh Modules at the bottom left of the screen.

142
It will look for a couple minutes

143
And the next time you click on the Hardware tab, it should be there.

Enable Monitoring, Enable sending notifications, Send them to your username@localhost

144
and click Save

Choose a RAID configuration, in the drop down menu next to the


Create RAID device level of button.

Chose whichever one will work for your situation, and click the Create RAID device level of button.

All these RAIDs do work awesomely, Im just saying limit your expectations down to what your hardware can handle.

You should see something like this (this is an example of Concatenated Linear)

We are joining a 40GB and a 20GB disk together to act like a single 60GB disk.

145
Set Force initialization of RAID to yes

And in the Partitions in RAID field, you have to select the participating disks. They appear to be selected, but they are not. You have to click on them
with your mouse. In order to select the second disk, just hold down the control key on your keyboard when selecting the second disk.

Click the Create button, and it will create the RAID for you.
This can take a very long time. If youre doing Terabyte disks, go to sleep :- )

As you can see its going to treat it as /dev/md0


And earlier in this how-to, you learned how to mount /dev/xxx into folders, so you already know how to mount this virtual raid into a folder for use
on your system.

You should eventually be returned to a screen that looks like this, if it shows your correct RAID configuration, then youre ready to format it.

146
Click on the device name, /dev/md0

You should see something like this.

147
Change the drop down box to ext3, and click Create filesystem of type button

This should take a long time, and do not be tempted to use the Mount RAID on button you see above. If you do that you will miss a few important
options that are only available by doing it the long way that we covered earlier.

You should see something like this

148
Dont chose check for bad blocks, it will take forever, and the webpage could time out.

If successful, you should see something like this

149
You just have to mount it now, as Linux ext3, using the Disk and Network Filesystems module like you did earlier.

150
A good folder name to use would be /mymounts/vraid
That name lets you know you mounted it, and that its a virtual or fake raid.

You want to use the File Manager module to create that /mymounts/vraid folder first, before you attempt to mount
it using the Disk and Network Filesystems module.

Here is what it should look like, make the following changes.

151
Then hit the Create button

If successful, it will look like this, and be accessible as a folder in /mymounts/vraid with almost 60GB free space
(40GB harddrive + 20GB harddrive)

152
This is a very small example, I have done multiple Terabyte raids, and they work great. Just make sure you really need it, and are getting a good use
out of it.

For those of you that skipped to this page, I created a new data drive, in a RAID configuration. Im no longer using /mymounts/d2p1 as my data
drive.

Im using my virtual raid setup of /mymounts/vraid

The how-to will continue to reference the /mymounts/vraid folder as my data drive. Whereas on your system, if you skipped the raid how-to, you will
need to be thinking /mymounts/d2p1/

This shouldnt interrupt the flow of the how-to, we are still talking about that same thing, a folder, that is really a second hard drive mount point, that
contains our data.

Thats it for the data drive, now lets configure the web server (Apache)
The web server is already running and functioning, if you type the IP address of your Linux box into a browser window, you should see it displaying
something like this.

153
By default the web server listens in folder /var/www/ and looks for a file called index.html

There is already a file called index.html in that folder, that file has the words It works!
Inside of it, thats why you see that on your screen.

If you were to delete that file, and replace it with your own index.html file, it would display that instead.

So lets use the File Manager module to delete the contents of the /var/www/ so we can replace it with our own index.html file, for our own custom
website.

154
Next you need to create your own index.html file. There are countless ways to do this, in this how-to we are going to use Microsoft Excel to make the
webpage file and save it as filename index.html. But if you Google html editor, you will find millions of other ways to achieve this.

Launch Excel, and put some words and colors on there.

155
Choose File Webpage Preview to see a preview of what it will look like.

156
Then if you like it, choose File Save as Webpage when you done

And save it as file name index.html

157
Now using Webmins Upload and Download module, upload that index.html file to the /var/www/ directory.

158
Click on the Upload to server tab

Change the File or directory to upload to /var/www/

Then click the Browse button

Then browse your Windows PC for that index.html file you created. And choose Open

159
Then click the Upload button

160
Thats it, it will upload the file to the directory, Apache is listening in that folder, and will read that file the next time you visit your website.

To see it, just open a browser window and type your IP address again, and viola, your own custom webpage running on your very own web server,
for free.

161
If you didnt want a webpage showing, but instead wanted a file chooser type of view, you could delete the index.html file, and any files you
uploaded to the /var/www/ folder would show up in a download like view, like this.

This way your users can see what files you have available for download, and can download and navigate just by clicking on them.

162
------------------------------------------------------------------------------------------------------------

Which looks like this from your File Manager view

163
Or, you could have both a webpage and the file download view by making a deeper subfolder called files and putting the files you want available
for download in there.

Just put your index.html file back in /var/www/

So when people go to your IP address, they see your webpage file

But when they go to you IP address /files (http://192.168.2.1/files) they see this

164
Which would look like this from your File Manager view

Thats pretty much it for a basic Apache web server setup, it works right out of the box. If you want to be able to setup passwords, so that people
cannot get to certain websites or folders without a password, here is how.

We are going to install the Protected Web Directories module from Webmin.com

Go to http://webmin.com/standard.html from your Windows PC, and look for the module.

165
Right click on the link that says htaccess-htpasswd.wbm.gz and choose Properties

166
This will give you the URL you need

167
Highlight and Copy that URL

168
Now go to the Webmin Configuration module

169
Double-Click Webmin Modules

170
Make sure youre in the Install tab of the module page.

And choose from ftp or http URL

And paste the following URL into the box to the right

http://download.webmin.com/download/modules/htaccess-htpasswd.wbm.gz

Or from my server http://t3.woodel.com/my-linux-how-to/htaccess-htpasswd.wbm.gz

*Due to upgrades some versions may no longer be available, if you run into this just use the links to my server, this will ensure matching print
screens,
or go to webmin.com and find the newer link.

171
Click on Install Module and Webmin will go get the module file, and install it

If successful you should see something like this, telling you it put it in your access control list, under the category Others

172
Click on it, you should see something like this

173
But we arent ready to use it just yet.

We have to make a change to our Apache configuration file, before it will allow password files to be used.

Using the File Manager module, edit the following file.

/etc/apache2/sites-available/default

174
Change the following two lines from AllowOverride None to
AllowOverride AuthConfig

175
Click the Save and Close button.

Then use the Bootup and Shutdown module to restart Apache (called apache2)

176
Click Restart

*Advanced* If you know youre not going to use apple-talk on your network, you can disable it on this page
By putting a checkmark next to netatalk and choose Disable Now and On Boot

If you know you dont need it, this will speed up the boot time and free up some resources

Once its been restarted, navigate back to the Protected Web Directories module

177
And click on Add protection for a new directory

Directory meaning folder

In this example we will password protect the files folder on your website

178
After you click on Add protection for a new directory

You should see something like this, make the following changes.

In the Directory path type /var/www/files

179
Because that is the directory we are wanting to password protect

Set the File containing users button to selected file

In the selected file field type /options/.htpasswd-4-var-www-files

Notice there is a dot in that filename. Thats important, it means hidden.

Its going to create this file for you, but it wont create folders for you. So make sure your specifying a directory that already exists, like /options

In the Authentication realm type Restricted Area

Usually you would name the file containing users .htpasswd

Thats the industry standard.

180
But we named it .htpasswd-4-var-www-files

Or

/options/.htpasswd-4-var-www-files

Meaning to me, its in the /options folder

I like to name it more descriptive then just .htpasswd, because I tend to have three or four of these files protecting different directories and with
different passwords.

In Linux the leading period or dot in front of a filename means its a hidden file

So when I see the filename .htpasswd-4-var-www-files we know its a hidden password file, protecting the folder /var/www/files

So if I were going to protect a second folder, something like


/var/www/photos/wedding

I would name the file containing users .htpasswd-4-var-www-photos-wedding

Or /options/.htpasswd-4-var-www-photos-wedding

Meaning the answer to the password for that directory is in the /options folder

181
Once you have it all filled out, click the create button

If successful, you should see something like this

182
So the structure is all there, now you just have to add usernames and passwords to it.

Click on Add a new user

You should see something like this

183
Here you can add as many usernames and passwords that you want. These arent real accounts on your server. You can make something up here,
these are just password prompts on your websites.

For instance, maybe you had family photos in that files folder, and you only wanted your family members and your friend Ed to see them. You could
add a username and password like

Username: my
Password: family

And another one like

Username: ed
Password: 12345

Whenever someone tries to your website, it works just fine.

184
But if they try to go any deeper into your website, or are sent a deeper link.
like /files. Then they are prompted for a password

185
And if they enter the right username and password here, they will be able to see the files inside the files folder (directory)
Its a good idea to use made-up usernames and passwords for these websites. By made-up I mean not actual usernames and passwords that youre
using as accounts on the server.

186
These website passwords are sent over the network and internet in plain text, meaning its easy for a hacker to see the username and password that
youre typing, so dont use a username and password here that actually has an account on the server.

This isnt a huge deal because (at this point) you shouldnt be exposing files to the internet that you dont want people to see. Not over an http
website anyway. If you're doing really private information make sure youre using the Webmin File Manager module, or something else that uses ssl
(https) or ssh.

Youre not going to provide Webmin access to your users, so later on in the how-to we will cover how to allow your users to securely transfer files
using https. The s stands for secure and will secure the transfer using ssl.

These http (non s) website passwords above will keep 95% of people out, but you would be putting yourself at a huge risk if you put anything
confidential on a non https website. And as a rule of thumb, dont expose anything confidential to the internet. And never type your password on a
website that isnt https. And never type your password on a website you dont know, trust, and recognize. Without the s your sending them in plain
text. So a hacker would see your typing just as you see the words in this sentence.

Later on we will cover how to do it securely, but at this point dont put any confidential files on your web server, and dont type usernames and
passwords that matter, over a non https connection.

No worries about Webmin and Putty, they are safe, Im mainly talking about http and ftp sites.

And if you ever want to remove the passwords permanently, you can use the Protected Web Directories module, and click the Un-protect and
Remove Files button

187
Apache is very powerful and can do a million more things. Later on in this how-to we will change its listening directory from /var/www/ to our data
drive, so that files on our data drive can be accessible over the web.

Later on in this how-to we will also create users whose home directories are on the data drive, so they will be able to upload and download their files,
over the web, all residing on the data drive.

You can probably see where this is going. Your users will have a home directory on the web. Often referred to as web space. But with a lot more
functionality. They will be able to FTP, build websites, use the secure https File Manager, change their passwords, see graphs on how much space is
available, have disk space Quotas, etc all over a webpage.

Lets configure the FTP server (vsftpd)

Using the File Manager module, edit the file /etc/vsftpd.conf

188
You should see something like this.

189
You need to make the following changes to it

Remove the "#" and change the line that says #anonymous_enable =Yes to anonymous_enable =NO

Remove the # so that it reads local_enable=YES

190
Remove the # so that it reads write_enable=YES

Remove the # so that it reads local_umask=022

add the following entry file_open_mode=0755

Remove the # and change the Welcome string to something custom of your own

Remove the # so that it reads chroot_local_user=YES

It's normal for that chroot_local_user=YES line to appear multiple times, you only have to remove one of the "#", just once is enough.

You should eventually see something like this, when you have made all the changes, click save and close.

191
The next time the computer is restarted, the FTP server will read the changes we made to its configuration file, but its not ready to use yet. We
havent added any users for it yet, we will get to that later, there is also one last security setting we have to change, we will get to that later while
creating the new users.

Thats it for FTP for now, its not working yet, we will come back to it later. Lets learn some troubleshooting now that can help us later. Lets see
how to check local email messages and syslog. When something goes wrong with the system, or there is a change, or a scheduled job has failed, you
can use one of these two messaging systems to check it. Similar to Windows Event Viewer, you can find a lot of helpful information here.

192
Using the Read User Mail module, you can see if you have any local email. Errors are often sent to you in this way. This is a great feature, as later we
redirect these to a real email address, and get notified via our real external email accounts if something goes wrong.

As you can see I have messages here.


In this configuration you can send and receive local emails to users of this server, using this module. You wont have much need for sending local
emails, but this is an easy way to read them.

And you should often be checking the syslog and auth.log, using the System Logs module.

193
You can also find useful information in the View Module Logs module

194
A lot of the time the answer to your problems will be in one of those (3) places. Another great place to check is the homepage (also called the System
Information module) does a good job of showing you your current usages, even drive temperature and SMART drive status. You can also see your
Uptime and OS version, Disk-Space, and other important information.

195
As we can see above, even with everything we have added to the computer, its still only using 34MB of ram, 0MB of the Pagefile, and 0.02 of the
processor.
This particular computer is a only a Pentium 3, 450Mhz a paper-weight at best. Isnt Linux amazing? These awesomely low numbers are
because we are using the command line version of Linux, not a GUI Operating System.

Getting back to our FTP setup...


Lets add some user accounts, these would be people you would give access to your server and its resources.

We will create the accounts, and setup their home directories to be on the data drive, and exposed to the network\internet, and add the final security
setting for FTP.

Using the Users and Groups module.

196
We are going to get a lot of use out of this module. It will allow us to make users, groups, set passwords, set home directories, and even setup their
shell, where we can further restrict them if needed.

Click on Create a new user.

You should see something like this, make the following changes.

197
With the username jdoe and the real name jdoe.

198
The important one is the username, that will be the actual login name. You could set the real name to Mr. John Doe, or something more descriptive if
you like.

Un-check Automatic and set the Home directory to


/mymounts/vraid/users/xhomes/jdoe
If you arent using raid, and are using d2p1, you would type
/mymounts/d2p1/users/xhomes/jdoe

What these descriptive folder structures tell us is


-Its a drive I mounted
-What drive its on
-Its user data
-Its and exposed home directory xhomes
-Its user jdoe

By exposed home directory, I mean that directory is exposed to the network or the internet. A constant reminder to me about security and
confidentiality of what goes in there.
We are later going to change the web server (Apache) to listen in those directories, so these home directories will be folders that are exposed and
viewable over the network or internet.

Thats on purpose, to give them webspace, space on the web, which we know is exposed to the world (www).

After you have set the username and home directory, choose normal password and lets type in the password jdabc123

Set the Group to New Group With Same Name As User

Then click the Create button.

If successful, you should see something like this

199
Little advice, careful if you ever click on a user after your done creating it, it will go into Edit User mode, and will try to reset the password. It wont
do it unless you hit apply, but try not to edit your users once they start using it, unless you know their password. See below, if you didnt know their
password, editing that user a second time is going to reset their password.

200
You probably noticed I didnt have you put jdoe in a predefined group, like users, but instead created a brand new group with the same name of
jdoe. Groups are awesome, so thats a good question. We will cover groups later, but for now lets focus on users.

In our current configuration, every time you create an account the way we just did above. The users will have read access to other users files, and
shares, for downloading or viewing, but wont have the rights to change or deleting anything they didnt create themselves. Which is usually what
youre trying to achieve with non-confidential data or website. But is easily tweak-able to fit any need you might have.

Now that you have a user with a password we dont care about, lets do the final FTP setting. Remember we NEVER type important passwords in
FTP, these passwords will be sent in plain text, if there is a hacker on your network, he is about to see it, the data as it flows over the internet\network
will actually say my password is so make sure you dont type any of your important passwords in FTP.

That final security setting to make FTP work is to make your root account the owner of everyones home directories. VSFTPD will abort and stop
working if it finds any users that own their home directory.
To fix this we will make every user a "save_here" folder inside their home directory. They will have full access to the "save_here" folder and any
sub-folders of that folder, just not their top level home folder.

We will use the Webmin File Manager Module to do this.


Using the File Manger module navigate to users jdoe home directory, click on jdoe and then click info.

201
You should see something like this, change both the User and the Group to root and then press Save.

202
And then inside of that folder, create a new folder called save_here.

203
Use the info button to set jdoe as both the User and Group. And the press save.

Repeat these steps for any future users you create, or FTP will stop working.

Username root is already setup right, no change needed. But dont forget username wood or whichever name you used during the install. That
directory is probably here : /home/wood as the CD install would have put it there. Its not our intention to have username wood using FTP, but
remember if the FTP server finds any users that own their home directory, it will abort and stop working.

204
Once youre sure all of the users on your system dont own their home directories, reboot the server, and FTP will be ready to use.
We are going to use Windows Explorer to test our FTP. Not to be confused with Internet Explorer. Windows Explorer is not the same thing as
Internet Explorer.

If you dont know how to access Windows Explorer, open up my computer.

205
In that address bar, you can type FTP addresss, and hit the Go button or the Enter key on your keyboard.

Its important you are not in browser like Internet Explorer or Firefox, those are for viewing, and are not fully functional FTP clients. Make sure
youre in a My Computer window or using a 3rd party FTP client, not a browser.

Type ftp:// followed by your IP address

Mine would be ftp://192.168.2.1

And would look like this, I would just Click go or press enter on my keyboard.

206
If your IP was 192.168.2.178, then you would type ftp://192.168.2.178

Hit go or enter, and you should be prompted for a username and password.

207
Use the username and password you created earlier.
Username: jdoe
Password: jdabc123
And click the Log on button

208
It should login, and you should see something like this.

Double click on the save_here folder and you should find its empty, because we havent put anything in there yet. Uploading files this way is as
easy as copy \ paste. You should be able to copy a file and or folder from your Windows Desktop and paste it right into the FTP window above.
(make sure your inside the save_here folder before you press paste).

Copy something

209
And paste it inside the save_here folder.

210
And you should see something like this.

211
That folder or file that you pasted (uploaded) is now in on the server inside user jdoe home directory, inside his save_here folder.

You can see that in a more familiar view by using the File Manager module.

212
(If you dont see it, hit the refresh button)

Those files are now exposed to the network \ internet. We are going to make it even easier to get to by changing Apache (The Webserver) to listen in
those xhomes folder. We will use the password protected FTP way you just did to upload files, we will use a no-password-needed webpage approach
to view and download them. Same folder destination, using FTP to write or upload, and HTTP (Apache) to view and download. Everyone will be
able to view and download these files, but only user jdoe will be able to upload, modify, and delete.

Well jdoe and you (root). Logged into the File Manager as root you can do anything you want.

Ok, next lets redirect the Apache to our external users home directories. By default Apache listens in /var/www, we are going to change that to
xhomes.

Open the File Manager module and create the following folder in the xhomes folder no_auth

213
/mymounts/vraid/users/xhomes/no_auth

Or, if youre not raided

/mymounts/d2p1/users/xhomes/no_auth

Then click once to highlight the newly created no_auth folder, and click the info button.

You should see something like this, make the following changes

214
Un-check all the boxes, make sure username root are the User and Group, and then click save.

215
We want this folder to be totally locked down, this is where apache is going to dump people if they dont know where they are going. And with these
super strict permissions, they wont be able to use the back button in their browser, or do anything we dont want them to.

Next, using the file manager, navigate to the folder.

/etc/apache2/sites-available

216
Highlight the file default by clicking on it once.

And then click the edit button.

You should see something like this, make the following changes.

217
That third line can be a little hard to type, if you want to copy and paste it, here it is below.

218
RedirectMatch ^/$ /no_auth/

Make those three changes and click save.

We have to restart apache for it to realize the changes we just made.

Using the Bootup and Shutdown module, restart apache2. Put a checkmark next to the word apache2
Or you could reboot the entire server, either way is fine. Either way will restart apache.

219
Now when you try to go to your webpage, you should get what looks like an error. This is what we want.

Open Internet Explorer, and navigate to your Linux box IP address.

Mine is 192.168.2.111

So I would type http://192.168.2.111

220
You should see something like this

This would be an example of someone who didnt know where they were going. We are creating Webspace on the internet for people who know
where they going. Notice there is no back button or Parent Directory buttons above the word forbidden, this keeps people from easily browsing your
directories. There is still a back button at the top left of the page, but that back button is ok, it takes them back to the last page they visited. The back
button we prevented is the one that is used to move back and forth through your directories. This isnt a security feature, the xhomes folder is
exposed to the internet, and can be viewed, this just makes it a little less obvious that there are more folders here. Remember nothing confidential
goes in the xhomes folder.

So unless someone knows where they are going, your website would seem down, or not available to them.

But if you were a user of the system, (like jdoe) you would know where you were going, you would know that your homepage or your web space
is

http://192.168.2.111/jdoe

221
Type that into internet explorer, and you will arrive at user jdoes home directory.

You should see something like this.

Notice if jdoe had files he wanted to share over the internet, people could download them from this page. Or if user jdoe uploaded a file
called index.html
Then he would have a webpage, that people could visit.

And if someone gets snoopy, and clicks on that Parent Directory button, they get dumped back to the no_auth folder. This is not for security, its just
makes it a tiny bit harder to see the folders in xhomes via a browser. This is just smoke and mirrors, its very easy to see and or download
EVERYTHING in the xhomes folder.

Now you can start providing webspace and or webpages to people. All you have to do is make them an account. Make sure to put their home
directory in folder

222
/mymounts/vraid/users/xhomes/

Or

/mymounts/d2p1/users/xhomes/ depending on your setup.

Make root the owner, and create one folder deeper "save_here" for that user to own.
And that user can now ftp files to their webspace, requiring a password. And share them with the world via their webpage (http) without a password.

The secret behind all of that is.

We told apache to listen in the folder xhomes


Then we told apache, if anyone lands here, immediately redirect them to the no_auth folder

jdoe would never land in xhomes, because he knows to specify the full path /jdoe when sending people links. http://192.168.2.111/jdoe

Therefore skipping the redirect to no_auth, because he never actually landed in xhomes, he landed deeper in the jdoe folder, where he wanted.

223
If you made a new user account called kevin
Kevin could do the same thing.

http://192.168.2.111/kevin

And so on and so on, for all your exposed users. Hence the name xhomes

Teach your users that these files are in no way confidential and are in no way safe from being manipulated, copied and or deleted. Even though a
password is needed to upload them, that password is sent out over the internet in plain text, so it would be easy to watch for that password. And easy
to download all their files, because the web server exposes the xhomes folder to the entire world.

You can also make yourself folders in here, without needing to keep making new accounts. Because anything you put inside the xhomes folder will
be exposed to the web. As root you can make folders in the xhomes directory using the File Manager module.

So if you made a few new folders like

/mymounts/vraid/users/xhomes/public

/mymounts/vraid/users/xhomes/vegas09pix

/mymounts/vraid/users/xhomes/rex-the-dog

/mymounts/vraid/users/xhomes/website-for-mom

You could send internal people links like these, and later when we setup port forwarding you can send them to external users as well

http://192.168.2.111/public (internally) or http://your-public-ip-address/public (externally)

http://192.168.2.111/vegas09pix (internally) or http://your-public-ip-address/vegas09pix (externally)

http://192.168.2.111/rex-the-dog (internally) or http://your-public-ip-address/rex-the-dog (externally)

http://192.168.2.111/website-for-mom (internally) or http://your-public-ip-address/website-for-mom (externally)

224
And people could access the files and or your webpages.

And later on in the how-to, when we give your server a public hostname, you can send people links that look like.

http://MyWebsite.com/vegas09pix

That has a name, that makes sense, instead of those confusing numbers. But they couldnt look at your other users folders, unless they knew where
they were going. This isnt a very secure way of keeping people out, but these are not confidential files, so it works great!

Optionally you could add an HTTP password to /mymounts/vraid/users/xhomes/vegas09pix directory using the Protetced Web Directories
module, like you did earlier, and limit who could access those links. With the same disclaimer though, HTTP and FTP send those passwords in plain
text. You will want to instead use HTTPS or SFTP to keep your passwords from being sent in plain text. Its all about the S.

Thats about it for apache and vsftpd.

Next we are going to make another user, whos password we dont care about, and whos home directory is not inside the website listening folder.
Because right now, anything we upload is instantly exposed to the webserver because their home directories are in xhomes. And sometimes we will
want to upload files without them being exposed to the web. We dont want to use user wood, as he probably has an important password.

The Upload and Download module you have been using in Webmin is awesome, its easy to use and keeps your passwords safe via HTTPS but at
a price. Because of the https encryption its really slow and sometimes it has problems with really large files.

So we will us FTP or Samba for those needs, large files, when speed is an issue.

Same steps as before.

Using the Users and Groups module.

225
Click on Create a new user

You should see something like this, make the following changes.

226
Name the user uploadman

227
Do not change the Home directory option, leave it at Automatic this time
Set the password to umabc123

Click Create

This users home directory can now be found under


/home/uploadman/

(If you dont see it, hit the refresh button)

Make root the owner, and make him a "save_here" folder one folder deeper.

Now you should be able to ftp in as user uploadman

Remember to use Windows Explorer, not Internet Explorer, when FTPing

228
Using copy \ paste, lets upload a large file
Copy something big, like a CD\DVD iso

And paste it

229
Close the FTP window, and go look at it in the Webmin File Manager
(If you dont see it, hit the refresh button)

230
Then using the buttons at the top, you could cut that file, and paste it into the
/options/ directory

And that would be an example of how to get huge files uploaded to your server, and put into the /options folder.

Or even easier, if the file youre after is on the internet, you could just use the wget command you learned earlier. By using the ssh2 module or putty,
login as root, then change directory to the options directory

cd /options

Then type wget http://the-website-that-has-it/debian503.iso

That would accomplish the same thing, but the file would have to be on the internet or a web-server for that option to work.

Either way, now you have a couple work-arounds, for large files, if the Upload and Download Webmin module gives you problems.

And now you have an ftp account uploadman whos home directory isnt exposed to the web-server. And a user jdoe whos home directory is
exposed to the web-server.
Now lets setup disk space restrictions, called Quotas. These are very important, because without them, there isnt anything stopping your users from
uploading too many files, eating up your bandwidth, filling up your disk space, and ultimately crashing your server.

231
Lets think of user uploadman as an account probably only you, the administrator would use. And lets think of jdoe and an account you made for
your friend or your client
(John Doe)

You most likely wouldnt put a quota restriction on yourself (uploadman) but you should restrict jdoe. And because of the way we have been
mounting the hard drives, quota is almost already setup.

Just go into Webmin, and click on System in the left menu, and then click on the Disk Quotas module

Notice mine says Filesystem /mymounts/vraid

Yours will either say that or /mymounts/d2p1/

Depending on if you followed the raid how-to, or not.

I will continue to call it /mymounts/vraid but you will know I mean either one.

Click on Enable Quotas

232
Dont get clicky, this can take a good 10 minutes or longer to respond.

And you should finally see something like this

Click on Users not groups

233
You should see something like this

There is a lot of good info here. Notice username uploadman is not listed here.
Thats because he doesnt live on this hard drive, and hasnt been given any access to it.
uploadman lives on /home/uploadman which is the main hard drive. This is drive number 2. So only jdoe shows up, and of course root,
because root has access to everything.

Lets setup a quota for user jode


To limit the amount of space he can use on /mymounts/vraid

234
Click on jdoe

You should see something like this.

Make the following changes.

235
Soft Limit = 2GB
Hard Limit = 3GB

Then click the Update button.

Thats it.

This means the user (jdoe) has 3 Gigs of storage space he can use.
You will start to get warned above 2GB, and he will get cut off after 3GB.

We dont change the file limit, just the overall size limits. I dont really care how many individual files he puts on there, just as long as the overall
size of his home directory doesnt exceed 3GB.

When you get back to the main quota screen, you should see something like this.

236
There is all the information you need right there. You can see user jdoe is using 26MB. He is allowed to use 3GB. You will be warned when he
reaches above 2GB. And I put red xs through the file limits, because I dont care how many individual files he puts on there.

You dont want to set a quota for root, because root is un-stoppable, and root is you. And you dont want to set a limit for users wood
or uploadman because that probably is also you.

But always set quotas for your users.

Lets make another user called testuser with a password of abc123


With a home directory of /mymounts/vraid/users/xhomes/testuser

*or /mymounts/d2p1/users/xhomes/testuser depending on your setup

We will use this user to test things your setup for your users. Because once you go live with this and start giving people access, you wont know their
passwords, and will need an account of your own to test user settings with.

So navigate to the Webmin Users and Groups module, and create a new user.

237
And very similar to what you did for user jdoe

setup user testuser

238
Click the Create button
Don't forget to make root the owner of his home directory and make a "save_here" folder.

239
And using the Disk Quotas module, give him a limit of 5GB, warned at 4GB.

Similar to what you did earlier.

Click on testuser

Setup the quota, and click update.

Thats it for quotas, and now you have a user name testuser you can use for testing.

240
Now... after all that work I would recommend you uninstall FTP and replace it with SFTP. I thought it was important we learn FTP, there are some
good uses for it, but SFTP is superior in every single way, at this point I recommend if SFTP can be used in place of FTP, that you uninstall FTP
using the command below. The only need i still have for FTP is a webcam I have that only has FTP embedded, and a printer that uses FTP for
scanned images, so i have two uses for FTP over SFTP, but what I really should do is buy a new webcam and a new printer. If you can choose SFTP
over FTP for your needs, you should stop using FTP.

Run the following (3) commands from putty if youre ready to ditch FTP.
apt-get remove vsftpd
apt-get purge vsftpd
apt-get update
And then reboot the server.

See my Do more section for my SFTP how to.

Welcome back, you have either decided to keep FTP or have successfully switched to SFTP, moving on, next we are going to setup Usermin. The
rest of the guide is written assuming all home directories are owned by root, and all users have a "save_here" folder. When referring to
home, I now mean /WhereEverTheirHomeIs/username/save_here

Usermin, is a restricted Webmin like interface you can give your users access to. Remember, you never want to give them Webmin access, thats for
you, the admin.

After we install it, we have to do a lot to lock it down. Its very powerful, so we have to configure to only allow access to the things we want your
users to see.

First we need to download the Usermin installer from http://webmin.com


So lets navigate to our Upload and Download module, so we can download it.

Make sure you are on the download from web tab

241
Paste this link into the URLs to download field

http://prdownloads.sourceforge.net/webadmin/usermin_1.570_all.deb

Eventually these links will stop working due to new versions, so you may have to use the versions from my server, or go to webmin.com, click on
Usermin, click on Deb and find the newest link.

My server

http://t3.woodel.com/my-linux-how-to/usermin_1.570_all.deb

242
This will download the installer to the /options folder for you.

And we will install it using the Software Packages module

243
Choose From local file, provide the path, and click the install button.

You should see something like this.

Click the install button.

If successful, you should see something like this.

244
Ignore the fact its telling you to login above, we are not ready for that yet.

Usermin is now installed, we have to lock it down now, because its default install give the user way more control than we want them to have.

You should have a Usermin Configuration module within your Webmin screen now, towards the top, under Webmin.

If you dont see it, you may have to hit Refresh Modules at the bottom on the screen. If you still dont see it, close all your browsers and login to
Webmin again.

245
Usermin has a lot of features we need to disable for our users.

Starting from the top and working to the right lets click on User Interface

246
You should see something like this, make the following changes, and click save.

247
Here is an easy way to check for Usermin updates once its installed. Click the Upgrade Usermin icon.

248
Next click on SSL Encryption.

249
And change Enable SSL if available to No

And click save.

This will disable HTTPS for Usermin, and force it run un-encrypted, using HTTP.

This is a horrible idea, HTTPS is awesome. Its what keeps your passwords and transactions safe on the internet. We just disabled one of Usermins
best features.

We will turn it back on later, turning it off for now will make this guide a littler smaller and easier to follow.
This only affects your users and Usermin, your Webmin is still HTTPS, so no worries there.

250
Next click on Usermin Module Configuration.

Then click on Upload and Download.

And make the following changes.

251
Then click save

You should be returned to this screen, click on File Manager

252
Make the following changes.

253
254
Then click save.

You should be returned to this screen, click on File Manager again, there is another change we need to make to it.

255
Click on the Default users preferences tab, on the top right, and make the following changes.

Click save

You should be returned to this screen.

256
Click Return to Usermin Configuration

Then click on Available Modules

257
Make the following changes.

258
Make sure you un-check everything except

File Manager, Disk Quotas, Upload and Download, and Change Password.

Everything else needs should be unchecked. Then click save.

Next click on Allowed Users and Groups

And make the following changes.

259
Then click save.

Next click on Access Control Options.

And make the following changes.

260
Then click save.

Thats it for Usermin, you can login as see the fruits of your labor.

To login, open your browser and type http://your-linux-box-IP-address:20000

My IP address is 192.168.2.111

261
So I would type http://192.168.2.111:20000

Login as testuser with password abc123

You should see something like this

262
Here your users can use the Browse button to choose and upload files over the internet or network, directly to their home directories.

This Upload and Download module will load as the homepage for your users, but they can also click on the menu items on the left.

263
Here they can check their disk space usage and quota, use the File Manager module, and even change their own passwords.

264
265
============================= Optional Usermin changes ===========================

If you really wanted to spoil your users, you can make the Upload and Download module, the File Manager module, and the File Chooser default to
the users save_here folder so they dont have to browse to it each time. Just go back into the Usermin Module configuration for these three
modules, and change the allowed path from home to this.

~/save_here

The variable ~ means The home directory of the logged in user. So the path ~/save_here tells Usermin to go directly into the home directories
save_here folder for whoever logs into Usermin. This is a great feature, your users will like this.

266
267
268
269
Another extremely useful variable is $USER

The variable $USER means The currently logged in users username. So that tells Usermin to go into a folder which matched the users username.
You could do something like.

/var/www/$USER

270
And if jdoe logged in, it would take him to /var/www/jdoe if wood logged in, it would take him to /var/www/wood

If you combine these two variables, you can actually make your users a private area and a public area on your server. You could point apache back to
listening /var/www, then change their save here folder from 755 permissions to 700 permissions, and viola, Things your users upload to their home
directories save_here folder would be totally private, their passwords would be protected, (assuming your using SFTP or Usermin, not using FTP)
their files would be private, and if you make them a folder matching their username in /var/www (/var/www/jdoe) they can via Usermin
cut\copy\paste\move things from their private and secure home directories and expose them to the internet by cut\copy\paste\moving files to
/var/www/their-user-name. A good example of this would be a user could upload all of their vacation photos to their home directory safely and
securely and private, then using Usermin, could cut\copy\paste\move a few of those photos that they did want made public to their /var/www/their-
user-name. Assuming you told apache to stop listening in xhomes and changed it back to /var/www. All you would have to do is edit the Upload and
Download module, the File Manager module to include both ~/save_here and /var/www/$USER as allowed directories, and then both locations
will show up when they log into Usermin.

271
*Note, /var/www lives on the first hard drive, if you do this not all your user data will be on disk 2. You may want to do something like
/mymounts/vraid/users/www/their-user-name and change apache to look in /mymounts/vraid/users/www this way all user data is still on disk 2.

Reminder, you would need to change each users save_here folder to 700 permissions if you wanted them to truly be private. We talk about this in
greater detail later on in the Samba section, but basically, you can see below, 700 permissions mean on that user can access those files. (and root,
because root is unstoppable)

Whereas public folders exposed to apache should be 755 permissions

Your users will really like how easy and flexible it is. Just be sure to limit the file sizes they can upload, because Usermin uploads first upload to ram,
and then are moved into place, if youre not careful a user can crash your system by uploading a file so big that it fills up the servers ram, here is an
example of limiting them to 800MB per upload. I like 800MB, big enough for a CD iso, but too small for them to be uploading huge DVDs or zip
files. For that they can use FileZilla, FileZilla doesnt first store the file in ram, so instructor you users that extremely large uploads should be done
that way.

272
You can purchase your own SSL certificate, and turn HTTPS back on for Usermin. In that same window you can upload the SSL cert you purchased
and now your users will have a secure way of logging in.

273
274
============================= End, Optional Usermin changes ===========================

If you get permissioned denied errors while testing your Usermin accounts, that just means the temp folders for Usermin havent been created yet.
The easiest fix it to temporarily make that user owner of their own home directory, and login to Usermin as that user, click on each of their allowed
modules one time, and that will make all the necessary temp folders. Just remember when youre done to change their top level home directory back
to owner root. If thats not an option you can manually make these temp folders as root using the Webmin File manager Module. You would need to
make the following folders for them, setting them and leaving them as the owners. Notice the leading dot in the names.
These would be 755 permissions. With these two folders in place, Usermin can now make temporary files and remember user preferences.

~/.tmp
~/.usermin

275
Thats about it for Usermin.

We continue on assuming xhomes folder name still means exposed to apache, that wouldnt be true if you did the optional changes above. The
exposed folder would actually be /mymounts/vraid/users/www

You could purchase a public hostname, often call a Domain name, instead of telling user jdoe this is his website http://123.123.123.123/jdoe which
he will never remember.

You can do a name, something easy to remember.

http://example.com or http://example.com/jdoe or http://jdoe.example.com

And instead of telling jdoe this link to manage his account https://123.123.123.123:20000

You could do a webhop like this http://members.example.com or http://my.example.com , that redirects them to https://123.123.123.123:20000

Your users are already accustom to website names like this, most of their other online accounts will start with members.example.com or
cardholders.example.com or my.example.com

In all of these examples, you would replace example.com with the unique name you chose as your dynamic public hostname. Its dynamic
because, your IP address will change over time, but the name will not.

There are many sites that will do this for you. In this example we will use is http://dyndns.org

I use them, and I think they do a great job.

You can go to their website, and chose either a paid dynamic hostname, like example.com.

Or you can choose a free dynamic hostname, but the free ones put a little advertisement in the name, like example.drink-beer.com

Its a small price to pay, but every time you tell your users their link, youre advertising for beer.

I would go with the paid version, the support is better, the names are shorter, and your users will take you more seriously.

http://dyndns.org calls their paid version Custom DNS

276
Start by going to their website http://dyndns.org

Choose a free one, or a paid one.

I use the paid one, the names are easier to remember, its more robust and the support is better. With the paid one you can email them, and a real tech
will answer you. If you go with the free one, I think email is disabled and you have to use the knowledge base.

Both works great, I have a couple free ones I have never had a problem with as well.

Choose your poison, type the name you want in the example box, and click the add button. For example, we will say you selected kevin.gotdns.org
*Dont really type kevin.gotdns.org, thats just an example

If the name isnt available, it will ask you to pick a different name. Once you find one your happy with, click add. The website will walk you through
everything you need to do, and you will leave with a dynamic public hostname and a username \ password for making changes.

277
Then all you need to do is tell your router at home that information, so it can dynamically update the IP address at your house, to match the
hostname you picked out. This way if your WAN IP address changes, the router can notify dyndns.org to update their info to match.

Your routers management interface should have a tab call DDNS. Log into your router and fill in the information.

You should see something like this, make the following changes.

*Dont use kevin.gotdns.org, thats an example, use the name you picked at the dyndns website.

Now your router will tell the dyndns.org website if ever your home IP address changes, so that your hostname will always point back to your router
at home, even if your IP address changes (and it will)

278
Now your router will always respond to the hostname you picked. Now all you have to do, is tell your router what computer, inside your house, to
send the traffic to.

So far we have a need to port forward ports 20, 21, 22, 80, 10000, 20000 to be directed to the Linux box inside your house. 20\21 are FTP, if you
have uninstalled VSFTPD you dont need those two.

Mine is IP address 192.168.2.111


That would look like this.

Now your router will send web traffic (thats port 80) to 192.168.2.111 (your Linux box)
Now your router will send ftp traffic (thats ports 20 and 21) to 192.168.2.111
Now your router will send ssh \ putty traffic (thats port 22) to 192.168.2.111
Now your router will send webmin traffic (thats port 10000) to 192.168.2.111
Now your router will send usermin traffic (thats port 20000) to 192.168.2.111

This way your Linux box (192.168.2.111) isnt totally exposed to the internet, you control what traffic is allowed to get to it.

279
Now if a user types http://kevin.gotdns.org into a browser window, browsers talk on port 80, and you router will know where that is supposed to
go.

Now if you type kevin.gotdns.org into a putty window, putty talks on port 22, and your router will know where that is supposed to go.

And so on and so on.

Thats pretty much it for the dynamic hostname and the firewall \ port forwarding configuration. If everything is working except ftp, you could be
having a min_passv, max_passv port numbering problem with your firewall. Or a modprobe ip_conntrack_ftp problem. Or at NAT problem, those
are advanced problems, and we will cover that much later in the how-to. SFTP doesnt have these issues, yet another reason to make the switch if you
havent already.

You should now be able to get to your Linux box from the internet. Meaning you should be able to get to it from work, a friends house, etc using
your dynamic hostname.

Next we are going to setup Samba. This isnt something thats going to benefit your internet users, but youre going to love Samba for your network
users. Meaning people inside your same small business network or home network. Its basically File Shares for Linux.

It has very few limitations, and is really an all in one solution for your LAN. Once you go Samba you will never go back. Everything you do from a
Samba share is streamed and or ran live, directly off the server, not downloaded to the users PC. So when you play music or movies from the Samba
share, you dont have to wait for them to download first, they play right off the server. Same with documents, they live on the server, and you work
on them live, never downloading to your PC.

We need to disable one of Sambas coolest feature, the home shares. By default Samba shares every users home directory, with the correct
permissions, so only that user can see his or her files over the network.

Home shares are awesome, they work perfectly with very little configuration. But we need to disable them because we have ftp enabled on
everyones home directories. We are going to consider the data in peoples Samba shares to be confidential. So we do not want them accessible via
ftp.

We are even going to use Samba to put a users My Documents folder on the server, so when they save to their My Documents folder on the
windows PC, it actually saves to the server. There will surely be confidential data in there, so we dont want FTP and Samba listening in the same
folders.

280
FTP is not secure, and is provided for our external users. So we need to move our shares to a different directory, only accessible by our internal users.
Plus once your internal users experience Sambas awesomeness, they will never want to FTP again anyway.

Its our fault for running both FTP and Samba on the same server. Realistically you would want two servers, one private, and one public. But this
how-to assumes you have limited resources, and wish to run both FTP and Samba on the box.

So unfortunately, we will need to delete all the shares listed below.

And then we are going to setup the defaults for all new shares. That way when we create new ones, they already have most the right settings, kind of
like a template.

Click on Unix Networking

*Reminder, much earlier in this how to, I changed my IP address from 192.168.2.111 to 192.168.2.1 so when

281
You see me refer to 192.168.2.1 im just talking about the new local IP address of my Linux box.

Make the following changes

282
For the listen on address, use your local IP address.

Mine is 192.168.2.1 use your IP address of your Linux box

This is important later on in the how-to, we when add another network card.

283
Next click on Windows Networking

You should see something like this, make the following changes

284
Click Save.

Next click on File Share Defaults.

285
There are a few sub menus under File Share Defaults, if you get lost, just click File Share Defaults again from this main screen.

The Other Share Options are the sub menus I was talking about, if you get lost, just click the File Share Defaults icon on the main menu again.

286
Click the Security and Access Control icon, and make the following changes.

Under Host to allow, allow only 127.0.0.1 and your subnet

If youre on a 192.168.2.xxx network, then use the settings above

If youre on a 192.168.1.xxx network, use 192.168.1.0/24

If youre on a 192.168.0.xxx network, use 192.168.0.0/24

If youre on a 10.10.10.xxx network, use 10.10.10.0/24

287
Dont be worried that we just set the default value to writeable. We are going to fix that later. All that will mean by the time we are done is that they
are all writeable by their owner, and not really everyone, the way it appears now.

Setting up these defaults will save you a lot of steps, and pre-fill in some information for you when making new shares. So they come up as mostly
done kind of like a template, where you just have to make a few changes, and it will make more sense later.

After you click save, you should be returned to the sub-menu, where you can click on File Permissions

Click on File Permissions

You should see something like this, make the following changes

288
There is a ton of good information right there, and I will explain what it all means as soon as we finish these sub menus.

Click save, and you should be returned to the sub menu

We dont need to change anything under the File Naming icon, so we will skip to the Miscellaneous Options icon.

289
Click on the Miscellaneous Options icon.

You should see something like this, make the following changes.

290
This should return you to the sub menu, make the following changes.

291
And then click save.

This should finally return you to the main share menu.

292
Now that we are back at the main share menu, and are done with the confusing sub menus, I wanted to take a moment to explain these settings,
knowledge of what these mean are pretty important

Here is what 700 permissions mean, we will be using 700 the most, and now is a good time to talk about it.

293
Its unlimited rights for the user. (wood)

294
In our setup the user is the owner of the file. The owner of the file is the person that uploaded it to the server. So when your users upload a file, they
own it, because its theirs.

There are no rights for anyone else, to others it would appear as if the file isnt there.

In the group field you see root, its just filling a blank space for us. You have to put something there, we arent using groups just yet, we will be
covering that later. So putting root there just fills in the spot for us. All the rights are unchecked anyway, its just filling the field for us.

There is one exception, root doesnt need rights. Root is too cool for that. Using the File Manager module, or being logged in as root, you can see and
do anything you want. So as long as youre logged in as root, or using the Webmin File Manager module, then these rules dont apply to you. But try
to forget that, its an exception to the rule. You should consider that 700 example above as only being accessible by user wood. And youre the only
one that can Webmin anyway. This isnt any less secure, its just so you dont lock yourself out.

So if user wood uploads a file, he is the user, he owns it, he can do whatever he wants to it. This is pretty standard, its his file, and he can do
what he wishes to it.

Here is where we forced that all to happen by default when we create a share

295
Any files uploaded to the shares will get the 700 permissions we talked about. Meaning only that user can see and use those files.

We dont allow the following of shortcuts (symlinks)

And we allow deleting of read only files, because that user put that file there, they own it, they should be able to delete it if they want.

Most of the shares we are going to make will use this 700 setting.

We will be making a couple that use 755, that looks like this

296
Above you can see this folder would be usable by everyone, in a read only like mode. This is not the kind of permissions you would want on
confidential files. They can download files, run files, view documents, they just cant add files or delete files, because they cant write. Only user
wood can write, modify, and delete. This kind of access would be ideal for providing your users the ability to download files you put in there. But

297
you dont want them to delete anything, add anything, or change anything. At home this may be your media share, with your playlist, music, pictures,
moves, etc. In a small business this might be where users could download software instructions, pdf forms, maps and other non-confidential data, etc.

These permissions only pertain to files uploaded via Samba. If you interact with these folders using the File Manager (or some other module other
than Samba) they wont get the permission we specified, as this is a Samba function and Samba didnt put it there.

If you accidently mess up a file\folder permission, you can use the File Manager to fix it.

You just have to highlight the file or folder in question and hit the info button

298
Just be careful, youre un-stoppable this way. You wont be warned if youre doing something wrong. Good rule of thumb is never do this to a file or
folder that you didnt create. That way youre not messing with system folders ever.

We had to go through all of this with Samba because we disabled the home directory shares. So we caused the problem :- ) but it was necessary for
our particular setup, because we have internet exposed home directories. If this were a server only running Samba, and we didnt have so many
different ways to access it, we could have avoided a lot of these lock downs as home directory shares are already setup this way by default.

Ok, back to work.

We are almost ready to start making shares, we just have to configure the server to automatically make a samba account every time you make a new
user account.

Linux treats samba accounts and user accounts as two different accounts, so we need to tell it to stop doing that, thats not going to work for us, so we
will tell it ever time we make a new user account, also make a matching Samba account with a matching password.

Scroll down on the main share page until you see


Configure Automatic Unix and Samba user synchronization

299
You should see something like this, make the following changes

300
This will only work on newly added users, and only if you keep using the Webmin User and Groups module to add them. If you make a new user
some other way, it wont make the duplicate account for you.

301
I say that because at the end of the how-to, im going to encourage you to learn the command-line way of doing everything. This would be the
exception. For adding users and groups, keep using this module.

So all of the users we add from here on out will automatically get a samba account.

Which means we missed user wood


As he was created we back before we even installed Samba

This is really easy to fix, just launch putty or the ssh2 module, and run the following command

smbpasswd a wood

302
Remember to replace wood with the name you picked during install

And use the same password

This will create him a Samba account, and you will be all set

You should see something like this, you can now exit the SSH2 module

303
That should be the only time you need to do that, as now they are being created automatically every time you make a new account. (using the
Webmin module)

You might be wondering what about user jdoe and user testuser

Those are internet users, they dont apply here, so you dont need to add them.
We dont want them to use Samba, because they are examples of people who are not on your local network, so they will need to stick with FTP,
SFTP, and or Usermin for access.

304
Lets make (5) example users, these will be examples of people on your network, in the same business, house, building, network as you.

Using the Users and Groups module, create the following (5) users

Username: roommate1 Password: roommate1

Username: roommate2 Password: roommate2

Username: roommate3 Password: roommate3

Username: roommate4 Password: roommate4

Username: public Password: public

305
When creating them, leave their home directories at the default setting, dont specify a custom home directory for them.

306
I used roommate as an example, meaning that they are in the same building as you, meaning same internal network.

Continue on, and make all (5) accounts

307
You should see something like this, notice their home directories are in the default location.

Once you have all (5) accounts created, We are finally ready to start making some shares.

Open the File Manager Module, and navigate to /mymounts/vraid/users/

(Or /mymounts/d2p1/users/ depending on your setup)

Create a folder called nshares

To me this means internal shares

308
You should now have something like this

/mymounts/vraid/users/nshares

Your users folder now contains an xusers folder and a nshares folder

This folder structure reminds you that

It was mounted by you (mymounts)


Its on a virtual raid (vraid)
It contains user data (data)
xhomes = exposed homes (exposed to the internet, unless you made them private in the earlier optional Usermin steps)
nshares = internal shares (internal to your network)

Triple check youre not making any shares inside the xhomes folder, you want to be at least one directory higher, in the nshares directory.

Like this
/mymounts/vraid/users/nshares/

Not this !
/mymounts/vraid/users/xusers/nshares/

We wont be using the File Manager to make any folders deeper than

/mymounts/vraid/users/nshares/

Because the File Manager wont make the file permissions the way we want. It can, it can do anything, its just more clicks, we will instead let
Samba make them for us.

Here is how you can tell, click on the nshares folder once to highlight it, then press the info button

309
As you can see, these are not the ideal file permissions for our shares.

It is the ideal set of permissions for the nshares folder. But not for the shares inside it, the deeper sub-folders we are going to make inside of them
need to be created by Samba. And these sub-folders will be the actual shares.

310
So once you have create the nshares folder, you can exit out of the File Manager, and return to the Samba Windows File Sharing Module

And click on Create a new file share

You should see something like this every time you create a new share

311
You were probably expecting that box to say 700

This screen is talking about creating the share. All that 700 template stuff we setup earlier was for the files that will be uploaded by your users, and
eventually populate the share.

This screen is talking about something else, its talking about creating the share.

Lets make the following changes, this will be the share for user roommate1

312
We are considering this a confidential share, as it will house roommate1 personal data.

Thats why we need to change the permissions to 700

You probably noticed the directory /mymounts/vriad/users/nshares/roommate1 doesnt exist yet.


Thats perfect, thats what we want. This way Samba creates that folder, with the permissions we filled in here.

313
You probably feel like you have entered this information twice. Thats not true. All that default share stuff we did pertains to the files roommate1
will later be uploading and using. This screen is setting up the correct permissions for his share.

For the directory put


/mymounts/vraid/users/nshares/roommate1

Click the Create button

You should be returned to the main screen, and see something like this.

314
Click on Create a new file share

And make all of the following shares

315
Notice that the fields all say roommate2

Click Create

Create another one

316
Notice that the fields all say roommate3

Click Create.

Create another one.

317
Notice that the fields all say roommate4

Click Create.

Create another one.

318
Notice that the fields all say wood

Click Create.

Create another one.

319
Notice this one is a little different, this one is using 755.

As you can probably tell, this one is going to be readable by all, but only writable by you (wood)

Click Create.

Create another one.

320
Notice this one is a little different. Set the owner to username nobody

That isnt an example, really use the name nobody

And the permissions to 755

We are going to do something different with this one, make sure to type the word nobody in there, just as you see it.

This is going to be a publicly writable share, so your users can share files with each other.
Right now they probably email everything as an attachment, this will help cut that down a lot.

I will explain the username nobody later

Click create.

This should be returned to the main sharing screen, and you should see all the shares you just made listed.

321
Because of all the defaults you setup, roommates 1 through 4 are done.

We have to make a small change to media, and a few changes to public.

Click on media, and make the following changes

322
At the media sub-menu, click on File Permissions

323
Make sure youre at the sub-menu for the media share, and not in the defaults for all shares.
It should say Edit File Share at the top, and not File Share Defaults.

Then click on File Permissions and make the following changes.

324
Click save.

You will have to click save at the next screen too.

Do these exact same steps for the public share too, and click save.

There are a couple more changes we need to make to the public share.

Click on public and make the following few changes

You will see a sub menu

325
Click on Security and Access Control.

Make the following two changes.

And click save

User nobody isnt an example, really use the name nobody

You will be returned to the sub-menu, where you need to click save again.

326
You will be returned to the main screen, scroll down to the very bottom and click

Restart Samba Server (If youre using Ubuntu you may need to reboot, as Ubuntu uses a different command to restart services, rebooting the
server is a way to be sure everything gets restarted)

327
Now all (7) shares are setup and ready to use, you now have a fully functional file server.

328
You can connect to them from your Windows PC now by typing

\\your-linux-box-IP-address\

Mine is 192.168.2.1

So I would type \\192.168.2.1\

Do this in an explorer window, like the my computer window.

329
You can click go or hit the enter key on your keyboard

You should be prompted to login

Lets use

username: roommate1
password: roommate1

If successful, you should see something like this

330
Your logged in as username roommate1

So you should be able to do anything you want inside of the roommate1 folder

Here you are in the roommate1 folder, making a new folder

331
And you should be able to do anything inside of the public folder

332
If you double-click on any of the other roommates folders, you should get an error, and not be allowed in. This is what we want. Thats their
confidential folders. Not yours.

333
You should also be able to see inside the media folder, there isnt anything there yet, but you should be able to double-click it.

You shouldnt be able to add or delete anything.

Only user wood can do that.

334
Once user wood uploads some files into there, your users should be able to access them, but not change or delete them.

That user nobody stuff we did is pretty cool.


Its going to force all users as a guest user anytime you enter that folder.
Thats the magic behind everyone being able to edit that folder, even though its got 755 permissions. Because it thinks anyone inside that folder is
user nobody, and user nobody is the owner.

335
The username public might never be used, but is needed because we require an account from anyone wanting to access a share. This would be
one you could give to someone wanting temporary access to your shares.

It would be for someone on your network who doesnt have an account.


You could tell them just login as username public password public

And they would be able to access the media and public shares, but none of the confidential roommates shares.

This is extremely helpful at home, when you have LAN parties. Someone always has a patch or a cd key they need to share, you can tell all of them
to use username public, and they can put the needed files up in the public folder for everyone to access.

Or in a small business, you might have a vendor stop by to show off a product, and they need share access. Just tell them to use username public
password public, and they are in, with no work for you to do, and they cant get to anything confidential.

Its just a complete solution, once you have it you wont be able to live without it.
You can combine these shares with this awesome backup utility. Cobian backup

Its free, and amazing. You will throw away your paid backup software and use this one, its the best.

http://cobiansoft.com/cobianbackup.htm

Just install this on your users windows computers, and tell the backup destination to be the share on the server, and youre done. Its beautiful.

File permissions vs. share permissions, and why to do it the hard way.

There are both File Permissions, and Share Permissions at work whenever you access a share. File Permissions are the granddaddy of them all, if the
File Permissions dont allow it, its not going to happen, no matter what you tell the Share Permissions to do.

On the flip side, you could loosen up the File Permissions, (something greater than 700) and control access using the Share Permissions. There is a
great amount of flexibility here, its always tempting, you can pretty much achieve anything this way, but lets talk about why you shouldnt use
them, and why you should rely on File Permissions instead. (whenever possible)

As seen in the screen below, there are some very tempting choices

336
You probably see a ton of flexibility there. But dont rely too heavily on share permissions, as these only apply to Samba access, and in this how-to
our Linux box has several different access methods. If someone logs in a different way, via FTP or SSH. They can explore all files and folder that are
set to 755, completely ignoring the Samba rules \ checkboxes above. We are of course going to tighten this up later, but you see the point. Limiting
users this way is only respected by Samba, and not any of the other modules. Whereas limiting access by Files Permissions keeps everybody out, no
matter what access method they try.

I always try to make the Share Permissions match the File Permissions, because Im telling myself this is the maximum access anyone could have, no
matter what method they use to access it. And always keep confidential directories 700 or below. This wont always be possible for all of your
Samba needs, you may need more flexibility that this, but its a good rule of thumb.

Its more work, and less flexible, but its better to make a mistake and not let the right user in, then to make a mistake and let the wrong user in.

I always consider permissions on the bottom row to be public. Thats horribly inaccurate, but its a good rule of thumb, I hardly ever use that bottom
row, except for webservers. Again, horribly inaccurate for me to call that bottom row public, but I treat it so, I try and have a user or a group for
every need, so I can make the file permissions match the share permissions.

337
Other is basically everyone, not requiring an account on the server to access the file.

We used it on a couple of our public shares, just give that bottom row a lot of thought, make sure you really need it. (and you will)

If you dont want the Printers and Faxes folder to show up

338
Add these three entries to the Samba configuration file /etc/samba/smb.conf

# In the section that talks about printer

load printers = no

disable spools = yes

show add printer wizard = no

# These have to be in the printers section

You can do that with either the File Manger or the Edit Config button on the Samba screen below.

339
Click on Edit Config File

You should see something like this.

340
Scroll down to the printers area, and add these three lines

load printers = no
disable spoolss = yes
show add printer wizard = no

You should have something like this

341
And while youre in there, scroll up and find the line that says include =
And comment it out with a #

342
Webmin doesnt seem to like that include statement in there, so just comment it out if its there.
(it probably wont be there, but look just in case)

Click Save.

Then just restart the Samba service, or restart the server and you should be good to go.

Sometimes the computer will prepend your domain name to your login, if youre having that problem,
use 127.0.0.1\username or .\username as your username should fix that. Also make sure all your
Windows computers are in the same workgroup of DIY.LAN or whatever you used on page one during the samba install.

You probably wont have that problem, but here is what the solution would look like.

343
Samba is cross-platform, MAC, Unix, Windows. Windows boxes use \\ip-address and or \\server-name

GUI Linux clients and Macintosh use smb://ip-address and or smb://server-name

344
In Ubuntu, thats under Go \ Location

In MAC I think under Go \ Server (or something like that)

Then just hit enter, and you should see a list of shares, Just as you did in Windows.

345
You want your Workgroup to match on all your computers if possible. On your Windows computers, you can change the workgroup in the same
screen where you change the computer name. Just right-click on the My Computer icon, and select properties.

In the advanced tab, computer name, you can change the Workgroup to DIY.LAN

346
Say OK, and reboot.

At this point SAMBA should be totally working, looking and behaving how you want it to.

============================= Troubleshooting ===========================

If you can access your Samba shares via the IP address, but not via the computer name, check these.

347
I will move fast through this because these settings are not the defaults, if you have these setting in place then you already know what Im talking
about.

Make sure youre getting your DNS info from your local DHCP server.

348
Or better yet

349
If you have given your Linux box a static IP address. Edit the file /etc/hosts and replace the line that reads 127.0.1.1 with your new static IP address.

Should look something like this.

350
Your /etc/resolv.conf should look something like this

Also, reboot a few times, and make sure /etc/resolv.conf isnt being changed by your dhcp client.

351
And double-check your computer name is right it /etc/hostname

And reboot

Im purposely going to keep moving fast through these next parts, using red font, because I dont recommend you do it unless you have a real need
for browsing by name, and arent planning on setting up a local DNS server. This is a manual band aid for not having a local DNS server, which is
the real fix to all of this, and is covered later in the advanced section.

First, on your Windows computer, edit the file c:\windows\system32\drivers\etc\hosts


And add the IP address and name of your Linux box (there are examples in that file that make it easy to understand)

Second, on your Windows computers, if youre using static IP addresses, youre probably not getting the right DNS suffix for your local network. If
you right-click on your network card, and choose properties. Then double-click on TCP\IP
(TCP\IP version 4 if you have two choices)

352
Then click on advanced, and click on the DNS tab at the top. Add the suffix diy.lan (or whatever you picked on page 1) to the field that says DNS
suffix for this connection

Apply and reboot, and now your windows machines will add .diy.lan to the end of everything youre searching for, which should fix any name
resolution problems you may be having.
This is a manual band aid for not having a local DNS server and DHCP feeding the machines information about your local network. I dont
recommend doing it because its really easy to forget those setting are there, and will cause major headaches if you change your network setup and
forget that its still hard coded at each machine.

Third, sometimes the following two settings can interfere with name browsing.
If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Unix Networking.
Setting the top one back to Automatic and the listen on address back to All can sometimes help. Just a warning though, these settings are needed
later if you know youre going to continue onto the advanced section where we add another network card and turn it into a router \ DDNS server. So
you really shouldnt change it if youre going onto the advanced section.

353
The fourth fix is pretty extreme. If you open up Webmin and navigate to the Samba Windows File Sharing module, and click on Windows
Networking. You should see a field that says Remote announce to Just click the button that says from list and enter an IP address on the left.
And your workgroup name on the right (DIY.LAN)

You can play around with what IP address works best for you. You can put the IP address of your router, so the Samba server announces its name to
the router. Most routers will block directed broadcasts like this, so will have to play around with it, you can put the IP address of certain computers

354
you want the Samba server to announce its name to. You can announce it to all your machines by using 192.168.2.255 on the left and your
workgroup name on the right. This is noisy and not recommended.

This ends the non-recommended troubleshooting part. Its my opinion that these settings should not be used. Remote announce to: is very noisy on
your network, and static DNS entries are way too easy to forget they are there. But if you have a browsing by computer name need, a combination of
those should fix it.

============================= End Troubleshooting ===========================

Next we are going to setup Samba groups. On a small home network you probably wont need this. But as your network grows, or if your setting up a
small business network, this will become a must have.

Extremely similar to what we did early, when we told Samba and Webmin anytime a user account is made, also make a matching Samba account.
We need to tell Samba anytime a group is made, also make a matching Samba group. This isnt the law, but if youre following my how-to exactly,
we are requiring every user to have a system account, and a Samba account, and are matching filesystem permissions to share permissions. So for
this to work right we have to have matching users and groups in both. But after a few clicks that will all be transparent anyway, and the system will
automatically take care of all that for us.

Navigate to the Samba Windows File Sharing module, and scroll down towards the bottom and click on the
Configure automatic Unix and Samba group synchronization icon

355
You should see something like this, make the following changes and click apply

356
Just a reminder, you have to forever use the Webmin module for creating new users and groups, or this function wont happen.

Next navigate to the Users and Groups module, and click on Local Groups.

357
And then click on Create a new group

358
You should see something like this, make the following changes.

359
Click Create

Now you have a group called mygroup1 that is both a Linux group and a Samba group
With the following members: roommates 1, 2, 3, and 4, and yourself (wood).

Next navigate to the Samba module, and click on Create a new file share

360
You should see something like this, make the following changes.

361
Notice the share is called pub4roomies
Which to me mean a public share, but only the roommates can access it (and you) everyone in the group mygroups1

Notice the Create with permissions are 770


Thats unlimited for the owner, unlimited for the group, and no access for everyone else. (empty bottom row)

Make sure the owner is you, and the group is mygroup1, and click Create.

You should have been returned to the main Samba screen, but there are few more changes we still need to make.

Click on the pub4roomies share

362
You should see something like this

Click on File Permissions

363
You should see something like this, make the following changes.

364
You will have to click save at this screen, and the next one.

Youre almost done, we just have to make one small change to the permissions of the pub4roomies folder.

Using the Webmin File Manger module, navigate to the pub4roomies folder, click on it, then click Info.

365
Click the Files inherit group checkbox, and then click save
You could also optionally click the only owners can delete files checkbox. If you didnt want the roommates deleting each others stuff.
But this is a public share for them, so I wouldnt recommend check that box, unless you have one jerk roommate :- )

366
Thats it, just navigate back to the Samba module and restart Samba.

Now any member of the mygroup1 group can access the pub4roomies share with full rights.

367
Newly uploaded files will get the uploading roommate as the owner, and mygroup1 as the group, and be fully accessible fully editable by all of that
groups members.

Thats pretty much it for Samba, there is just a little preventive stuff we should do next.

Lets ...
Setup Quotas for these new users
Setup restricted password change module
Show users how to map their My Documents folder to the server.

We should setup Quotas for the following users

roommate1
roommate2
roommate3
roommate4
public
nobody

I left wood out, because wood is you

You will need some big Quotas here, your users will get a lot of use out of these Samba shares.

368
Similar to what you did earlier
Set them up with a quota

We also need to be concerned about the OS drive. Because we set some of these users up in the /home directory as well as the /mymounts directory.
We need to limit what they can put in /home. Thats on the OS drive, known as mount point " / ". Lets just set them a ridiculously small quota, like
1MB, so they aren't storing data on the OS drive

Quota isnt enabled yet on the OS drive, so we need to enable it.


We just need to make a simple change to the Disk and Network Filesystem Module.

Navigate to the Disk and Network Filesystem Module.

And click on /

*sometimes listed as / (root filesystem)

369
You should see something like this

370
Change that from No to User only

And click save

Now the next time you navigate to the Quotas Module, the OS disk /
Should now be there

371
Click on Enable Quotas

Your computer will freak-out for a couple minutes while the Quota is checking the OS. Give it time, it will eventually finish.

Once it finishes, click on /

And limit these users to 1MB

roommate1
roommate2
roommate3
roommate4
public

372
nobody

*If you dont see a name youre looking for, you can click the Edit Quota For and browse for it.

373
Now lets give them Usermin access, but restrict it to only password changes and Quota view.

Navigate to the Usermin Configuration Module.

And click on Module Restrictions

Then click Add a new user or group restriction

374
You should see something like this, make the following changes

Do these same steps for

375
roommate2
roommate3
roommate4
wood

You dont have to worry about users public or nobody

After you have added those other four users, we need to allow them Usermin access.

Click on the Allowed Users and Groups icon

376
You should see something like this, start adding the users

Add the following users

roommate1
roommate2
roommate3
roommate4
wood

Click Save

Click Restart Usermin

377
Now you Samba users, from inside your network, should be able to change their own passwords and view their Quota, without seeing the File
Manager like your internet users have.

To access Usermin, its http://your-ip-iaddress:20000

My ip is 192.168.2.1

So I would type http://192.168.2.1:20000

Login as username roommate1

378
And you should see something like this

As you can see, they only have two choices instead of four, because we dont want them to have the File Manager or the Upload and Download
modules.

379
This is a really convenient way for your users to change their own password

Thats it for the locked down Usermin config, now you can show your users how to map their My Documents folder to the server
(if you want)

That way when they save files to their My Documents folder on their PCs and Laptops, they are actually saving them to their server share.

First have them login to their share, and make a folder per computer. Something like
my_dell_laptop and my_gateway_pc

380
Assuming this is roommate1 your working on, and assuming he has a Gateway Desktop PC and a Dell Laptop

And assuming your sitting in front of the laptop right now.

Just right-click on his My Documents folder, and choose Properties

381
And change the Target path from whatever it says to
\\192.168.2.1\roommate1\my_dell_laptop
Now everything roommate1 saves to his My Documents folder, will actually be on the server.

382
And now from his Gateway desktop, if he goes to \\192.168.2.1\ and logs in

He can get to his laptop files from his desktop

And vice versa, once both are setup this way

Just make sure to move the current data out of the My Documents first, and paste it back in after the target has been changed. If you change the target
while their data is still in there, it will appear to the user like all the data is gone, because the My Document folder isnt looking at their c:\Documents
and Settings\user profile anymore.

For users doing the My Documents thing you will probably want to set them up to pass through authenticate. Meaning you will want them logging
into windows with the same username and password as their share. In this example, you would set the roommate1s computer to login to windows as
username roommate1.

That will allow him to pass-through his windows login credentials to the shares.

383
If this isnt possible, then you will probably want to map a network drive, to a drive letter, and then move the My Documents target to that drive
letter.

Either way works fine, the pass-through authentication is best.

Thats about it for Samba, it would have been better to set it up on a separate computer. A computer without internet access even.

In the more advanced parts of this how-to, we are going to setup a VMware Server, which can run multiple virtual machines off this one machine, all
managed over a webpage. This can also be a helpful way to separate Samba from FTP into two machines, just have them running on different virtual
machines.

There are countless ways to do it, depending on your security philosophies.

Anyway, back to work

384
Next we are going to connect to a file share running on a Windows machine. Lets say the IP address of the Windows machine is 192.168.2.6 and its
allowing Admin$ shares on C.
We will mount this on our Linux box as folder /mymounts/samba2dot6

This folder naming to me means

I mounted it (hence the folder mymounts)


And that its a samba connection to machine 192.168.2.6

In this example, the entire contents of 192.168.2.6 hard drive will be accessible and useable from your Linux box.

Navigate to the Disk and Network File systems and click on Mount type smbfs

I have had many users say that option isnt there. If it isnt there, the following three steps should make it show up.

First, make sure you didnt miss the page that talked about apt-get install smbfs

385
*This how-to isnt written to be able to skip pages

Second upgrade Webmin to the latest version

Navigate to the Webmin Configuration module, and click on Upgrade Webmin

You should see something like this

386
Choose Latest Version from www.webmin.com

And then click Upgrade Webmin

If successful you should see something like this

387
Third click on Refresh Modules

*Note, remember you can also upgrade Usermin the same way

After the refresh is finished you should have smbfs as a mount type in the Disk and Network Filesystems Module

388
Add the mount type smbfs, and you should see something like this

Give some thought to mounting it at boot or not. If 192.168.2.6 is on all the time, this shouldnt be a problem. But for the most part, you wouldnt
want to choose to mount it at boot time.

Also give some thought to the account you use. Because that password will be saved in the file /etc/fstab

This isnt a security risk at all, nobody should have that kind of access to your machine to be able to read that file. Linux is already setup to not allow
that. But without local file encryption, and a couple security guards, there is always a chance it can happen.
(like if the computer was stolen, or booted off a live cd)

We talk about file system encryption later in the how-to. But giving a lot of thought to the passwords you put in that file is important to.

As you can see, Im accessing computer 192.168.2.6 admin share on c$

389
Which should mean you have to provide an admin level password of that machine to access that share. But a work around is that Windows Backup
Operators can also access admin shares. So if you make and account on the Windows PC your wanting to connect to, and you made that account a
Backup Operator, and not an admin, it would still work.

Or even better, create an actual share that a user level account can access, instead of using the admin share C$. Im just lazy and use the admin
shares, as a Backup Operator, so I can access the entire drive without giving up the admin password.

But putting a less important password in the box is smart anyway you look at it.

After you create the mount, you can view the Windows PC files on your Linux box by navigating to the folder

/mymounts/samba2dot6/

Next we are going to create some scheduled backup schemes.

Using the File Manager, create a folder called

/mymounts/vraid/osbackups

We are going to create one schedule for Operating System related stuff, and another for our data. For the Operating System scheduled backup, we are
going to use the Backup Configuration Modules module.

Navigate to the Backup Configuration Modules module, and click on scheduled backups.

390
And then click on Add a new scheduled backup

Notice there is also a Restore Now tab at the top. In the event something goes horribly wrong, or your setting up a new system, you can restore them
using these backups and the restore now tab.

Click on Add a new schedule backup, you should see something like this

391
Notice how you are able to click on multiple choices in the modules to backup box. You can do this by holding down the control key (Ctrl) on your
keyboard, while clicking on the choices.
Click on all the modules you would like to be part of this scheduled backup. Select as many as you want.

392
393
Notice I selected backup destination local file

/mymounts/vraid/osbackups/bcf.tar

Thats bcf.tar
That means to me, Backup Configuration Files

And its important we put it on disk2 (/mymounts/vraid/)


That way if disk 1 goes bad, we have a backup on disk 2

Check all three boxes under Include in backup


And list system files you want a backup of, that didnt have a module associated with it.

Operating System stuff only ( / ), dont include anything from the second hard-drive
(The data drive /mymounts/vraid/)

We will make a different kind of backup scheme for that data, using a different module.

Put your local email address, username-created-on- page 18 @localhost


So mine is wood@localhost

If you select Simple schedule


You dont have to use the minutes\hours\days schedule below

Click the Save button, and it will schedule the backup job, every month, on the 1st.
Or better yet, click Save and Backup now so you can make sure it works.

It will overwrite that file every month, which is probably what you want. But if you rather keep every backup job it makes, you can change the
filename from

/mymounts/vraid/osbackups/bcf.tar

To

394
/mymounts/vraid/osbackups/%m_%d_%Y_bcf.tar

This will add the current date to the filename, which will be different every month, and so it wont overwrite your backups.

Thats pretty much it, you can import these backups as a restore, and be back up in running in minutes instead of days.

The backups will be compressed into a single file using the TAR format, you can extract them and see them using
the File Manager module.

Just navigate to where the backup jobs are, and you should see a .tar file.

Extracting can be messy if you dont contain it to a folder. So create a new folder called
2bdeleted

395
And copy the .tar file in there.

Then highlight it, and click extract

Say yes if prompted

Once they extract, you will see all the configuration files you selected to be backed up were indeed backed up.

396
The folder structure will be a little confusing at first. If you told it to backup /etc/vsftpd.conf . It will copy the folder structure.

You wont just see the file vsftpd.conf

You will see the folder etc, and the file vsftpd.conf inside of it.

Thats about it, if you ever need to restore the file or refer to it, you can find them here.

And you should have a local email, telling you all about it.

Now we will setup a scheduled backup for the data drive. That uses a different module called Filesystem Backup.

397
Navigate to the Filesystem Backup Module

Select in TAR format

And browse to user jdoes home directory


Then click the Add a new backup of directory button

You should see something like this

398
Expand the two green arrows so you can see everything, and make the following changes

399
The Backup to field reads /options/%m_%d_%Y_jdoe.tar

400
Keep the backup label name short and sweet, they dont allow it to be very long.

You only need to change the Minutes, Hours, and Days. Thats because we want it to run every month, so we dont want to specify
A month, or it will only run on that particular month.

This particular schedule says at 23:01 (11:01pm)


On the second day of every month, run the backup.

401
I did the second day, because we already have Operating System backups schedule on the first. You dont want to schedule them at the same time,
that is too much work for the server to handle, so I did the second on every month.

Careful to not select more than one number, like this

Because it will let you, if you not careful. Holding down the Control key on your keyboard will help you deselect them if this happens.

Thats about it, except the backup directory (/options) I selected would be a horrible place for your backups.

402
You would want to installed a third or fourth disk for these backup jobs, or maybe even a large USB drive. Or even better, take advantage of that
SSH button, and do offsite backups. Meaning the backups exist on a different computer. A separate Linux box somewhere.

Earlier we talked about having a second computer setup only with Samba and SSH. You could use that SSH option to send the backups to that
computer. This is the best form of backups, as it gets the files off the computer, and in a second location. Just in case that computer catches fire or is
stolen or something.

This second computer doesnt even have to be on your same network, it can be on the internet somewhere, and SSH will encrypt the transfer and the
passwords for you.

Click the Create Button and it should return you to the main screen.

If you get an error like this one below

Then just click on the Module Config link at the top of the page

You should see something like this

403
And change the following two options to yes.

Then click save.

You should be return to the main page

Notice the TAR option is gone, because we set it as the default. Also that red error message should be gone as well.

404
Lets make another backup, they get easier after the first one, because instead of choosing a specific time, you can tell it to start after the one before it
finishes.

Select the home directory for user testuser


Notice now there is an Enable after option now

405
So instead of picking times, and guessing when you think they will be done by. Just tell it do start the next job, after the previous one finishes.

You can keep building on this, have the third job start after the second job finishes, and the fourth job after the third finishes, and so on and so on.
Dont forget about your samba users (nshares folder)

As your list starts to grow, you can see the schedule on the right

Here we can see that second job starts after the first one finishes.

406
Thats pretty much it for the backups, just set it and forget it. And you should get local emails with the statuses.

Just remember /options/ is a horrible place, I just used that as an example. Get some more hard drives, or an external drive, or better yet use SSH to
another computer.

You can also export your users and their passwords to a file, this is really useful if youre planning on upgrading to a new server, but dont want to
have to reset all your users password.

Navigate to the Users and Groups module

Take note of the User ID numbers your interested in

(They will usually be over 1,000)

And then click on Export to batch file

407
You should see something like this

Make the following changes, tweak your UIDs range

408
Click Export now

If successful, you should see something like this

409
And be a nice admin, and consider that file extremely confidential.

Now you can build a new server, import those accounts using the run batch file button under the users and groups module, and your users will never
know anything has changed.
See why you should change your password more often :- )
Thats pretty much all there is to it

Next we will talk about disk maintenance and trouble shooting. Every so often you should run fsck (File System Check) on your hard drives, its a lot
like scandisk. There are few things you need to know before running this. The hard-drive cant be mounted, it first needs to be un-mounted. Some
Google searched will tell you the options to force it to check mounted drives, dont ever do that. Never scan a drive that is mounted. It only takes a
second to un-mount it, take the time to do that, its well worth it.

You cant really scandisk your OS drive, because youre not able to un-mount it. Some Google searches will tell you have to use Single-User-Mode
to do it, which is similar to a Windows Safe-Mode, dont ever do that either. Its do-able, but not worth the repercussions of typing something wrong.
If you want to scan your OS drive, you should boot off a Linux Live CD, and run the commands below. Being booted of the Live CD will ensure the
drive is not in use. Its worth the extra effort.

Your data drives are a lot easier to scan, because you can easily un-mount them

Lets say you want to run a quick scan on the hard drive /dev/sdb1

You would launch a Putty or SSH2 module session, and type

umount /dev/sdb1
That will un-mount the partition

Then type

fsck.ext3 y /dev/sdb1

This command assumes your checking a drive formatted as EXT3. If you have been following this how-to, your drives are ext3. Running this on a
non EXT3 formatted drive will cause major problems, and you wont get the warning, because of the y will answer yes to any prompts.

410
This will run a quick scan on the hard drive, and the y tells it to answer yes to any questions.

If you wanted to do a more in-depth scan, you could run


fsck.ext3 -c -p -v -f /dev/sdb1

The c tells it to look for bad blocks on the hard drive, this scan will take a very very long time.

And if you wanted to take it ever further, maybe you have a drive youre having problems with, you could run the following command

fsck.ext3 -c -c -p -v -f /dev/sdb1

Specifying c c twice like that, will do a read and then write test to every spot on the partition.

It claims to be non-destructive. Im not sure I would feel comfortable doing this command on a drive that I didnt have a backup of. Ive personally
never done it on a drive that had data on it that I cared about. Im sure its safe, Linux is amazing, its just the write part of that scares me. Do
yourself a favor and make a backup first.

Options c and c c will note any bad blocks that are found, and mark them as not useable. At this point the disk is fixed a couple bad blocks is
bound to happen. But if you have this problem more that once on the same disk, I would consider replacing it, and making sure your backups are up
to date for that drive.

If you already have a backup, and you want to really want to try reviving the disk, you can do the following. Note these are destructive, and your data
will for sure be gone.

Type the following commands (this series of commands will take many days to complete)
Do yourself a favor and just buy another hard-drive :- )

fdisk /dev/sdb

m
d
w

dd if=/dev/zero of=/dev/sdb

411
fdisk /dev/sdb

m
d
n
p
1
Enter
Enter
w

mkfs.ext3 /dev/sdb1

fsck.ext3 c c y /dev/sdb1

You just used fdisk to delete the partition. Then you used dd to zero out the drive. Then you used fdisk to create a new partition. Then you mkfs to
format it with the EXT3 file system. Then you checked the file system both read and write using fsck

Thats extremely thorough, and will take many days to complete those steps. You may even want to hookup a keyboard and monitor, because it will
take so long, you will probably be tempted to close your Putty or SSH2 connection. This would make it hard to watch the progress. This is pretty
extreme, with todays prices and warranties, you may want to consider replacing the drive when fsck finds problems more than once.

You can then use the Disk and Network Filesystem Module to remount the drive. And thats about it for disk maintenance.

Next we are going to setup the Firewall, using IPTables. This is optional at this point because youre behind the firewall of your router. So this
would, at this point, just be a firewall inside your LAN. But in some cases, especially small business networks, not everyone on your internal network
is trusted. So if you dont completely trust all the traffic inside your network, then you would want to setup the firewall.

Navigate to the Linux Firewall Module

412
Choose block all except SSH and IDENT on external interface eth0

413
Do not click the Enable firewall at boot time option. We eventually will enable that, but not yet. Since we are doing this remotely, we need a way to
un-do it if we mess something up, so for now, dont start it at boot time.

Then click the Setup Firewall button

You should see something like this, stay away from that Apply button for awhile, if you click it now you will lock yourself out of Webmin

414
415
If you lock yourself out, rebooting will let you back in

We can get away with this only because we are not setting the firewall to start at boot time (yet)
Also stay away from that Apply button for now.

Next delete the following conditions by putting a check box next to them, and clicking Delete Selected

Make sure to delete all the ones I have checked. We will add ICMP (ping) later on, but for this test it needs to be gone.

416
You should see something like this
Change the default action for forwarded packets to Drop
Then click the Set Default Action To button

Stay away from Apply button.

417
Click on the green word Accept next to port 22

You should see something like this, dont make any changes

418
We arent making changes to this screen, we are going to press the Clone Rule button at the bottom, this will save us lots of typing.

419
Press Clone Rule the screen will refresh and youre now looking at a copy of the port 22 firewall rules

Make the following changes

420
Change the Rule Comment
From Allow connections to our SSH Server
To Allow connections to our Webmin Server

Change Destination TCP or UDP port


From 22
To 10000

421
Now scroll down and press the Create button
You should see something like this

Note the port 22 exception is still there, because we didnt change it, we only cloned it.

422
And now we have a port 10000 firewall exception as well

Keep doing that for ports

20 (ftp20)

21 (ftp21)

80 (web80)

445 (samba)

20000 (usermin)

Dont forget to click Clone every time you click on port 22, you dont want to make changes to port 22, you just want to keep cloning it.

You should eventually see something like this

423
Stay away from the apply button

424
Click on the green word accept next to port 445

We are going to lock Samba down a little further, its a little overkill for this setup, but its expected later on in the how-to

You should see something like this

425
Make the following changes

426
This will tell the firewall to only let in Samba clients that have a 192.168.2.xxx ip address. The /24 tells it to allow any 3 numbers, up to 254

If youre on a 192.168.0.1 network, you would use 192.168.0.0/24


If youre on a 192.168.1.1 network, you would use 192.168.1.0/24
If youre on a 10.10.10.1 network, you would use 10.10.10.0/24

Again, a little overkill right now, but we need it later on. Click on Save

427
You should see something like this

Youre now ready to hit Apply at the bottom, but make sure Active at Boot still says no

428
429
Test everything, except FTP (there is another change we have to make for FTP before it will work)
Make sure you can still get to Webmin, Usermin, Putty, Samba, your websites, etc

If everything is working, return to the Linux Firewall module and tell to be active at boot time. Click yes, and then click the Activate at
boot button

430
Then hit the Apply Configuration but, and navigate to the Bootup and Shutdown module.

Using the Bootup and Shutdown module, reboot the Linux box.

Wait a couple minutes and make sure you can still get back into everything.

Now from your Windows PC, try to ping your Linux box
This should fail

If it fails, then thats good, it means your firewall is loading at startup and doing its job.

431
If it replies like this

Then something isnt right, go back and fix it.

Once you have it working, you will probably want to allow pings. Pinging is very useful for trouble-shooting.

So once youre sure your firewall is working, you can allow ping by going back to the Linux Firewall module and adding the following input rule

432
Click on Add Rule

Make the following changes

433
434
Then click the Create button

Then click the Apply button

You should now be able to ping the Linux box

Now lets make sure you are still able to access the internet

Using the Command Shell module, run the following command

tracert google.com

435
I like to use tracert instead of ping from a Linux box, because I can never remember the ping limit commands off the top of my head.
By default ping never gives up in Linux unless you give it extra instructions. So from this view dont use ping, because it will
run forever in the background. If you want to use ping, make sure youre using Putty or the SSH2 module, where you can interact
with ping, and stop it. (using Control + C on your keyboard) Or include the extra command line options to tell ping to give up after
like 5 attempts ping c 5 google.com

If successful, you should see something like this with a bunch of numbers. Its ok if you have more than or less than
13 hops, we are just looking to see that it is hoping outside your network.

If you get a bunch of fails, go back and figure it out. Your firewall is blocking everything incoming, unless you request it. Here your requesting it, so
it Established \ Related, and your firewall should be letting that through, as it originated from you, inside the firewall first.

436
Thats pretty much it, if you still using FTP instead of SFTP, you might have to make this tweak if FTP stops working. If your using SFTP or if FTP
is workiing, you do not need to do this.

Navigate to the File Manager module, and edit the file /etc/rc.local

Add the following line

/sbin/modprobe ip_conntrack_ftp

You should see something like this

437
Save it, and reboot the computer.

That rc.local file executes every time the computer starts up, so it should load every time now.

Once the reboot is finished, try FTP

438
It should be working now, if not, go back and figure it out.

You now have an extremely powerful firewall running, doing per packet inspection and filtering. Thats just the tip of the iceberg of what IPTables
can do, but it should be all you need for now. As you get more comfortable with it, you can enable logging, and start reading the log files of blocks
and attempts.

Next we will setup etherwake


A Wake-On-Lan tool that will allow you to Wake On Lan computers on your network, from within Webmin.

Navigate to the Custom Commands and click on Create a new custom command

439
You should see something like this, make the following changes

440
Give it a description as to what computer it is (A computer on your LAN \ Subnet that you are trying to wake up)

And the actual command is etherwake b mac address

Just make sure the MAC address is separated by colons :


For help finding the mac address of a computer, refer back to earlier pages (often referred to as hwaddress or physical address)

Click Save

Make one for every computer you think you would ever want to wake up

*Advanced* Later on in the how-to, you will have two NICs. One will be so strongly firewalled that it will stop etherwake from
working, there is a simple fix, just use the interface option i to tell etherwake which NIC to use

example: etherwake -b i eth1 00:1a:a0:a9:3b:bo


You should eventually see something like this

441
You can use these custom commands for just about anything you want. I like to use them for hard to remember commands, or commands I run a lot.

Eventually you will have an entire page of custom commands button, just point, click, and viola

I like to make tracert and ping buttons as well, because a Linux ping wont stop unless you interact with it, so you can make a custom command
button, with the / option to tell it when to stop and what to do.

*Advanced* If you have a smart phone with a browser, you can access these custom command buttons from your phone, and do tasks like wake-on-
lan right from your cell phone, without the need for any kind of shell access. Just make sure your phone is not set to remember any passwords or web
history. Make a lot of these custom command buttons, they are very cool.

442
Thats it for the basic setup, if you start to have stability problems with your server, you can use a program called monit, that will monitor services,
and restart them if they fail. It also has a web interface with some cool functionality. Also if you start to see a lot of hack attempts in your log files
you can use a program called fail2ban (apt-get install fail2ban). This program will block a user by their IP address for a configurable amount of time
after a configurable amount of attempts. They are super easy to configure and you can find many excellent examples on Google and on
http://ubuntuforums.org

Next is the optional \ advanced setup. Not that its any harder than anything you have done so far, its just we are going to move on to more dedicated
uses, where the computer needs to be up 24 hours and day 7 days a week. We are going to turn the Linux box into your Router \ NAT \Firewall, a
VMWare server, a Local DNS box with dynamically updating clients, a DHCP server, etc

If youre not interested in any of that, you can stop at the end of this page. Youre encouraged to continue, its all really cool stuff, but setting the
Linux box up as your router is kind of a big commitment on your part, when its down, your internet connection is down. Setting up VMWare requires
a powerful computer with lots of RAM.
*Note, if your planning a VMWare server (Page 5 \ advanced) or any kind of Hypervisor, see this disclaimer before you begin

DNS is a lot of work for small networks. You dont need a DCHP server if youre not replacing your router and you dont need a DDNS update
client if youre not using Local DNS. So this may be a good time to stop if youre not interested in virtualization and networking. Thanks for using
my how-to, let me know how it goes.

If youre stopping here, you may want to checkout my "Do More" section.

Remember to periodically check for updates with apt-get update followed by apt-get dist-upgrade

That will ensure you have the latest patches and upgrades

You can find my email address and blog link on my homepage http://woodel.com Thanks! KevinTheComputerGuy

Advanced.

If youre choosing to go on, welcome to the advanced section.

First we are going to setup rssh (restricted ssh)

Im not going to spend too much time on this one. We are going to move pretty fast through this one, as many of its uses are far
more complicated than some of the software solutions that exists today.

443
SSH is awesome, but it gives the users access to way too much.
rssh gives you basic SSH functionality, with the ability to pick and choose what access to give them

apt-get install rssh


After the install completes, edit the file /etc/rssh.conf

You should see something like this, make the following changes

Comment everything out except allowscp

And change the umask to 777

444
Then click save and close

Thats probably throwing up some red flags to you. 777 means full access right?
In file permissions it does, umask is the opposite. Setting the umask to 777 will result in the exact opposite file permissions 000

As you can tell, we are really locking down this user. To the point of paranoia.

With file permissions of 000, only root will be able to see these files. Thats because we are going to use this user, in a batch file, to remotely backup
files from a Windows PC. His password will be in plain text in said batch file, and could be compromised.
So we want to make sure, even if the password fell into the wrong hands, that they couldnt do anything with it.

Next lets create an rssh user, named backupbot

Navigate to the Users and Groups module, and click on Create a new user

Now when you make a new user, rssh is available as a shell you can choose from for newly created users.

445
If you dont see it in the drop down menu, just choose other and browser to /usr/bin/rssh

See below, this user I created, I put in shell /usr/bin/rssh

Select normal password, give this user a password

And, you want to make sure you dont select to make him in other modules.

This user is going to be an rssh user only

446
Now for the next level of paranoia. Navigate to user backupbot home directory, and set the following permissions.

447
448
With these permissions, that user wont even be able to see the files they upload. This is because if someone finds this password in your batch file,
you dont want them browsing the home directory.

Thats some pretty extreme lock down we just did. You can take it even further with chroot in rssh, and use it to jail the user inside a directory. And
you can use the file permissions to inherit a group that doesnt exist, or doesnt have a user in it. Im not going to go too much into the rest of this
setup, but here are some hints if youre interested in pursuing it.

You could go to Puttys website


http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

And download the following tools

PSCP.exe

and

PLINK.exe

These are rock solid secure, just like Putty is

You could use a command like this one, using a combination of PSCP and WinRar ( http://rarlabs.com )to do offsite backups of Windows PCs over a
secure connection.

=====================================================================================
rem start batch file

cd %userprofile%

taskkill /f /im OUTLOOK.EXE

"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_My_Docs_Folder_Win2K_XP "my documents"

"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_Docs_Folder_WinVista_7 "documents"

449
%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:

exit
rem end batch file
======================================================================================

This command closes Outlook if its running, and then compresses the users my documents folder into a single file, then uploads it.

It will name the backup file the same name as the users computer, and tell you if its Windows 2000\XP, or Vista\7 and add the date.

As you can see the password abc123 is exposed, thats why the permissions have to be so tight.

==================================================================
rem start batch file

%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:

rem end batch file


==================================================================

But even if it fell into the wrong hands, there isnt much of anything they could do with it.

Of course a disk space quota is important for any user, always set disk space quotas to prevent abuse.

Also this will be an outgoing request from your users PCs, so you dont have to worry about a firewall configuration on the users end at all.

Thats PSCP

Next is PLINK

PLINK is a really cool SSH tunneling tool. You can secure almost anything you want to do, because you can wrap the entire communication up in an
SSH tunnel, much like a VPN connection. Everything you do on the port you specified for the tunnel, will be secured by SSH. And this will be also
be an outgoing request from your users PCs, so you dont have to worry about a firewall configuration at all.

450
For PLINK you could do something like this

======================================================================
rem start batch file

%temp%\plink.exe -ssh -4 -P 22 -l backupbot -pw abc123 -R 5900:localhost:5900 kevin.gotdns.org

rem end batch file


======================================================================

This would create an awesomely secure tunnel form your users PCs to yours. Port 5900 is VNC, so when you launch VNC from your network, then
you can remote the Windows PC user over that tunnel, with no firewall config needed on the users side.

But I dont want to spend too much time on those because there are easier alternatives.

If youre looking to remote a user, just use Logme.IN software at http://logme.in or TeamViewer at http://www.teamviewer.com both work very
very well. These are free for personal use and mostly web based, there is no configuration needed on either side. You can login without the need for
an account, and all traffic is outbound, so again, no firewall worries. My favorite one is TeamViewer.

If youre looking to do offsite backups of user files. You should use something like Cobian backup, over your LAN to a local Linux box running
Samba. And then have that Linux box use the Webmin Filesystem Backup module to schedule offsite backups to another Linux box over SSH. Or
something like RSYNC or jailed SFTP or SSHFS. Or even easier just use Carbonite, they do all the work for you. http://carbonite.com

But its good to have the knowledge above, and I mostly talk about it so you know to not pick SSH when giving someone else an account to your
Linux box. SSH by default lets them change directory to wherever they want. And without jailing knowledge, your files are way too exposed. So
think this rssh = SSH for users besides yourself.

Thats about it for those.

lets stop for a second and talk about virtualization and encryption.

Virtualization

451
As of the original writing of the webpage \ how-to. VMWare server was the best virtualization server solution around. Now
days, if youre planning a VMWare server or Hypervisor there are many more options, and in my opinion, better options.
For this reason my VMWare server guide has been archived Here Its no longer recommended, i would recommend This

File encryption.

In the same way that local backups pale in comparison to offsite backups. File encryption pales to Filesystem encryption. We are talking about this
now because you are in the Advanced how-to.

If you cant lock the door where this Linux box is. If you cant setup a $20 webcam too watch for people trying to steal your Linux box. If youve got
enemies at the FBI :- )
Then you would want to setup complete Filesystem encryption. Anything less than encryption at the Filesystem level is un-acceptable. This is really
easy to setup. Start this how-to all over again, and on page 12, choose LVM encryption.

Thats it, except for the format taking a couple days (literally) your computer will boot up and ask for a password before mounting the drives, without
the correct password, its as if the data doesnt exist. Ive tried to break it, leaving just one letter off the right password. No go, its so very strong. Its
the only one worth doing. I prefer to only use it on laptops, it can make data rescue a pain in the butt. And I have a fat pad-lock on every one of my
servers, so as far as what I practice, I only do this on laptops and servers Im solely responsible for.

But once you chose LVM encryption, the kernel will be built correctly during setup, and you can then tweak it via Webmin under the
Hardware \ Local Volume Management module (LVM)
Make sure your first Linux experience isnt with encryption. It can make disaster recovery a pain, and remote reboots arent really going to work for
you, as youre prompted for a password to reboot. A couple Google searches will teach you how to hardcode that password in, but hopefully you see
that flaw in that. I prefer to not hide the key next to the lock :- )

If this is your first Linux experience, hold off until your third or fourth time before you dive into that. But its amazing, and worth the effort.

Ok, we have come to the final part of our how-to. The next steps deal with setting up your Linux box as a router and then optionally, a local
DDNS server. Setting up your Linux box as a router means anytime you want to reboot or trouble-shoot. Your users will have no internet access. So
make sure this is something you really want to do.

452
And I say DDNS not DNS because it (D)ynamically updates your local DNS records via your DHCP clients. Basically your DHCP clients will all get
DNS entries automatically, when they get their DHCP leases, very cool stuff. Extremely useful on a large network, but can be a little overkill on a
small one. I have a problem where I memorize IP address, because I am weird like that, and wind up never using the DNS name. But your users will
never remember IP address, thats when it becomes necessary, and the flexibility of name control on your network is nice.

Ok, truth is your about to build a very powerful router. So lets do this. Warning!!! These next steps will disconnect you from the internet for a very
long period of time. You might want to finishes reading the how-to before moving on.

Warning, if you have ADSL, DSL, PPOE and or an All-In-One Modem\Gateway\Router, you may not want to continue.

This how-to was written mostly for Cable internet users, and or small business users on a LAN wishing to create a sub network \ private network.

Even Cable internet users, if you have All-In-One Modem\Gateway\Router, you may not want to continue.

The reasons ADSL, DSL, and or an All-In-One Modem\Gateway\Router users may not want to continue is, this how-to walks you through setting up
your computer as a drop in replacement for your router. But if your router is an all-in-one solution, you cant really remove it from your network, as
the modem still needs to do its function in order to get you out to the internet. You could disable the routing feature of the all-in-one, but it would still
be powered on and using electricity, and sitting next to a computer doing the same exact function.

And even if you decided to disable those features and continue on, most ADSL and DSL modems use proprietary instructions written in their
firmware that wont let you back out to the internet without passing through its NAT first, so disabling that function would unfortunately break your
internet connection.

So long story short, only continue if you have a setup, where the modem is a piece of hardware all by itself, (this is usually only cable subscribers, as
in cable TV or coax cable modem) and or a internet source with a public IP address without PPOE, and or youre on a small business network and
your wanting to create a sub network behind your current network.

You will also need a second network card to continue. You will later be installing this into your Linux server.

You will need to set a couple Static IP addresses, as you are going to be without DHCP for awhile.

If your Linux server is still DHCP, you must change it to static. Also if youre still using a static IP address
of 192.168.2.111 (x.x.x.111) or 192.168.2.174 (x.x.x.174) You should change it to 192.168.2.1 (x.x.x.1) before continuing.
It is good practice to have your router and gateway be x.x.x.1 basically the first IP address of your scheme. Youre about

453
to turn this box into a router \ gateway, so change the IP address if you havent already. You can refer to pages 48 and 49 if you
forgot how to make this change. And reboot to make the change affective.

You will need to temporarily set your Windows PC to use a static IP address, within your same IP scheme. Im going to use IP address 192.168.2.9
on my Windows PC. There are some screen shots on the next page on how to do this. Dont move on until you have figured out how to give you
Windows PC a static IP address within your same IP scheme.

If you right-click on the network card (Local Area Connection) on your Windows PC, and go to properties, we can walk through how to set that up.

You should see something like this

454
Right-click on it and go to Properties

You should see something like this

455
Click-on Internet Protocol TCP\IP and then click Properties

456
*Note, if your screen shows IPv4 and IPv6, choose IPv4
You should see something like this, make the following changes and click OK

457
If these numbers look French to you, refer to earlier pages for an IP scheme refresher.
Click OK again, as many times as it takes to get out of those screens, and then reboot your Windows PC.
At this point, if youre using my same numbering scheme, you should have a Windows PC with a static IP address of 192.168.2.9

And a Linux server, with one NIC, with a static IP address of 192.168.2.1

For now on we will be referring to your original Network card (eth0) as eth_safe that is the one with IP address 192.168.2.1

And the new NIC, the second one (eth1) as eth_bad thats jumping a little ahead, as we havent even installed it yet, its just important you grasp
this before moving on.

eth_safe will be the LAN side of your network, and eth_bad will be your WAN side of your network.

Before moving on, make sure you can still get to Webmin from your Windows PC.
Webmin should now be at https://192.168.2.1:10000 if youre following my numbering scheme.
*If you just recently changed the IP address, Webmin will take an extra long to load the first time you open it, just give it a minute.

We need to stop the Firewall from loading at startup on your Linux server. The configuration of it is no longer valid now that you want to do routing.
Navigate to the Linux Firewall module, and stop it from loading at startup.

You should see something like this

458
Change Active at boot to No
Then click the Active at boot button to make it stick, then click the Apply Configuration button

459
Reboot your Linux server, you should have no active firewall at this point.

Using putty, paste in the following command and hit enter. apt-get install bind9 dhcp3-server

Reboot your Linux server

Triple check that your firewall is still down by logging back into Webmin and Navigating back to the Firewall Module, and make sure that button
still says No.

Power off your current router (example: Linksys) and remove it from your network. Note, this assumes you have a switch you will be using instead.
If not, you can still use the 4 LAN ports on your old Linksys router. And re-introduce it back into your network as a switch. As long as you dont
ever plug anything into the WAN port of the Linksys router ever again. Put a piece of tape over it if you have to, and never use it again. (Some router
models call it an uplink port)

Never use the Uplink port or WAN port on the Linksys router ever again, this will cause it to act just like a switch. If it has wireless capabilities thats
ok, later I will show you how to make that work with your new setup.

Removing your Linksys router from your network, and or using it as a switch instead of a router can be kind of hard to picture the first time you do it.
So I drew you a few pictures. This first one would be an example of salvaging your current wireless router.

460
461
This second view would be if you ditched your Linksys router all together, and just used an actual switch.

462
463
This third view would be if you used both a switch and a wireless router (AKA wireless access point)

464
Decide which picture best describes what you want to do, and then shut off the Linux box.

465
After powering off your Linux box, install the second network card inside the computer, but do not plug the cable in yet!

Again do not plug the cable in ! Only your original network card you started this how-to with should have a cable going into it. Keep the cable
coming from your ISP out of the picture for now, it should be sitting there not plugged into anything.

Once you have the NIC properly installed, power on the Linux box.

Once we configure it, the new NIC will then be known to the system as eth1 and known to us as eth_bad

Visually you will know it as your WAN port, but we will continue to refer to that as eth_bad.

It just helps in visualizing whats going on, as this will be the NIC eventually connected to the big bad internet, via your Cable\DSL modem.

eth0, or our trusted NIC, the one plugged into your switch will be referred to as eth_safe. Just for clarification, Im calling your old Linksys router
with a piece of tape over the old WAN port, a switch.

Later in the how-to, when we setup our firewall rules, we will trust everything from eth_safe, so its important to stop here if you dont understand
that. You have 2 NICs now, one is eventually going to be plugged into the Cable or DSL modem, thats eth_bad. And again, it should not have a
cable plugged into it right now.

If later you get confused, eth_safe should have a static \ private IP address, and eth_bad should have a DHCP IP address it obtained from outside this
network, better known as a Public Address. If that doesnt make sense to you, dont continue the how-to until it does. Or maybe keep reading without
doing, a wrong choice here could expose your network to the outside world.

If your Linux box has internet access right now, stop! You have done something wrong.

Next we are going to configure eth_bad (eth1)

Using the Webmin File Manager module, navigate to and edit file

/etc/network/interfaces

Go ahead and enter the following info, or copy \ paste.

466
allow-hotplug eth1
iface eth1 inet dhcp

You can Ignore that up /sbin/ifconfig part for now

Also enter anything you might be missing for eth0. Once everything looks good, click on Save and Close

Hopefully you wont need that /up/sbin mtu line, we will talk about that later

Reboot your Linux box to activate that new NIC

467
You cant really test all that speed, duplex, and MTU stuff until you have a cable plugged in. So we will have to come back to that later. Dont plug
the cable in yet, just remind yourself later to check that out. Like you did on earlier in this how-to, use a combination of ifconfig, mii-tool and ethtool
to make sure you have the right speed, duplex, and MTU settings. These problems are rare, but nasty.

In that last print screen you could see I had a problem with the MTU on this NIC and had to force it. Hopefully you wont have that problem, I rarely
see it. But if you do, just Google search the right MTU settings for your ISP. Cable modems and LAN are almost always 1500 MTU, some DSL
connections I have seen are 1400+ MTU. Docsis 2.0 = 10\100, Docsis 3.0 = 10\100\1000. A Google search should show the right setting for your
situation. Try Google first, most people at your ISP customer support center wont know what you are talking about :- )

We are now going to change a setting that is going to allow packet forwarding between to two NICs. This is reason we have done so many overkill
security settings, because after you make this change eth_bad with be able to forward packets to eth_safe and vice versa

Navigate the File Manager module, and edit file

/etc/sysctl.conf

Add or un-comment the following line

net.ipv4.ip_forward=1

468
Now is a good time to reboot, This reboot will enable packet forwarding between the two NICs

You computer may take a long time to start up, as its searching for DHCP on eth_bad, but there is no cable plugged in yet, just wait a few more
minutes than usual, it will come up. Do not plug in the cable yet.

Next we are going to setup the DHCP server, it will hand out DHCP IP addresses to your internal network, originating from eth_safe (eth0) and
feeding addresses to anything behind it (your switch)

469
You already have the DHCP server installed, we just have to tell it which NIC to use and enable it. Navigate to the DHCP Sever module, and click
on Edit Network Interface

You should see something like this

470
Choose (eth_safe) eth0 and click save

You should be returned to the main DHCP screen, click on Add a new Subnet

471
You should see something like this, make the following changes

Subnet description Make something up


Network address - 192.168.2.0
Netmask - 255.255.255.0
Address range 192.168.2.50 - 192.168.2.99

Leave all the other options alone and click Create Now and or Save depending on what your screen looks like.

472
Now a new icon should have appeared on the main DHCP server page underneath Subnets, called 192.168.2.0. Click this icon, you will be returned
to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit Client Options".

Make the following changes

Subnet mask - 255.255.255.0


Default routers - 192.168.2.1
Broadcast address - 192.168.2.255
DNS servers - 192.168.2.1

You will have to hit save twice, here and the next screen.

473
You should be returned to the main DHCP screen, where you can start the DHCP server

You now have a fully functioning DHCP server. You should be able to release the IP address on your Windows PC, and get a new one handed out
from your Linux box.

If you dont know how to release your IP, just reboot your Windows PC, that will do it to.
*If youre using a static IP address on your Windows PC, you would have to switch it to DHCP to see the fruits of your labor.

At this point you have your Windows PC plugged into your switch, and your switch plugged into eth_safe

If your wireless there are a couple setting changes you to need make on the old wireless router
(Wireless switch \ Wireless access point)

You should be able to access the wireless routers admin webpage using your Windows PC and cable going into one of its LAN ports.
Login and make the following changes.

474
-Disable its Built-in DHCP server

-Change its routing function from a Gateway to Router (not all models have this feature, if not, just leave it at Gateway)

-Disable its Built-in Firewall

-And optionally you can delete all your Port-Forwarding, NAT, DDNS, and any other custom settings on your old router, as they are no longer
functioning in this scenario. All that will be handled by your Linux server from now on, so these settings are not longer doing anything for you.

You can then use the 4 LAN ports just like a switch, never using the WAN port again.
(the WAN port is usually 10\100, so you may have just removed a future bottle-neck in your network)

And voila, now you have a wireless router that is dumbed down to act like a wireless switch instead.
If you had to set a static IP address to talk to your Wireless router (aka wireless switch) dont forget to set yourself back to DHCP.

Whats nice about this setup is you can now put that wireless router wherever you want in your house or building
(as long as there is wiring going to it)

Youre no longer confined to have it next to your Cable \ DSL modem. Which is normally in some closet somewhere surrounded by lead and 4 foot
thick walls :- )

Smart placement of your Wireless router is the key to good signal strength.

Next we need to destroy the current Firewall configuration so we can set it up the right way.
Even though its not loading right now, it still has all the wrong settings in it.

Navigate to the Linux Firewall Module, and click the Reset Firewall button

475
You should then see a screen like this, make the following changes

476
Do Network Address Translation (nat) on eth_bad (eth1)

If you see a checkbox about starting the Firewall at startup, make sure that is not checked.
Like before, we want a way back in if we mess something up

Once your screen matches mine, Click Setup Firewall

You should see something like this

477
At the bottom of the screen change Active at Boot to No
And press the Active at boot button
And then press the Apply Configuration button

We do eventually want it activate at boot, just not yet

Change the field at the top, next to the Showing IPtable button

Click the drop down arrow and select Packet Filtering (filter)

478
Once you are sure you in the filter screen
Set the default action for (Forward) to drop

479
Then click the Set Default Action To button next to it

Do not click the Apply Configuration button, not yet anyway

480
Do the same thing for (INPUT)

481
Do not click the Apply Configuration button, not yet anyway. However make sure you are clicking the Set Default Action button.
It wont let you change those both at the same time, so double check that (FORWARD) and (INPUT) are set to Drop
And double check that you have clicked the Set Default Action To: button for both

Double check that your screen looks like this


Do not hit Apply yet

482
If you accidently hit apply and have locked yourself out, just manually reboot the Linux box. We dont have these rules in startup yet, so a reboot
will get you back in for now. Once we are sure it is working, we will finally put in startup.

Lets talk a brief second about the Firewall and the settings we are going to make.

The Linux firewall works with three IP tables:

MANGLE, PREROUTING and FILTER.

The actual firewall part is done with FILTER

In this configuration we are going to allow anything and everything on eth_safe (eth0) because that network card is internal, and is running from the
Linux box, to a local switch inside your network. We are going to allow everything from (lo) the local loopback interface. We are going to block
everything (with the exception of outgoing traffic) on eth_bad (eth1) as that network card is exposed to the internet, as it is running from the Linux
box, to your high-speed modem or internet feed. The idea is for eth_bad to be a way out to the internet, not a way in, unless requested from behind
the Firewall, or explicitly specified by you.

And any PortForwarding you might need is done in PREROUTING, and then passed to the FILTER (FORWARD). Thats why later when we setup
PortForwarding, we have to make sure we allow them in both places.

OK, Lets configure the Firewall

Here is a glance at rules we will be defining

INPUT

Accept if protocol is ICMP (This is optional, but recommended, very handy)

Accept if incoming interface is lo

Accept if incoming interface is eth_safe (eth0)

483
Accept if incoming interface is eth_bad (eth1)
and state of connection is ESTABLISHED,RELATED

FORWARD

Accept if incoming interface is eth_safe (eth0)


and outgoing interface is eth_bad (eth1)

Accept if incoming interface is eth_bad (eth1)


and outgoing interface is eth_safe (eth0)
and state of connection is ESTABLISHED,RELATED

To add these rules, click the Add Rule button, under INPUT

484
You should see something like this
Make the following changes for ICMP (ping)

485
Then click Create

You should see something like this

486
Click the Add Rule button again

You should see something like this

Make the following changes for lo (LoopBack)

487
Then click Create

Click the Add Rule button again


You should see something like this

488
Make the following changes for eth_safe (eth0)

Then click Create


Click the Add Rule button again

You should see something like this


Make the following changes for eth_bad (eth1)

489
You have to hold down the control button on your keyboard to select more than one item.

490
Select both Established and Related

Then click Create

You should now be seeing something like this

491
Now under the FORWARD section, click Add Rule

You should see something like this

Make the following changes for forwards from eth_safe to eth_bad

492
Then click Create

Click the Add Rule button again , make sure your still under FORWARD
You should see something like this

493
Make the following changes for forwards from eth_bad to eth_safe

494
Then click Create

You should see something like this

495
Cross your fingers and click the Apply Configuration button
Did you disconnected from Webmin? Can you still click around on the other modules?
If you can, then congratulations, you did everything right.

If you got disconnected, and your sure your plugged into eth_safe, then you did something wrong, you can turn off the firewall by manually
rebooting your computer.

If you didnt get disconnected then you are ready to put the Firewall in startup.

Navigate back to the Linux Firewall module, and change the Activate at Boot
to yes and click the Activate at boot button.

496
And then click Apply Configuration

It is now safe to plug your cable into eth_bad, now you should have two cables in the same machine.

497
The cable coming from your Cable\DSL modem, or your ISP \ internet connection, goes into eth_bad (eth1)

The cable from eth_safe (eth0) should be leading back to switch inside your private network.

Once you have both cables where they are supposed to be, reboot your Linux box.

After the Linux box reboots, use the Command Shell module to run
The ifconfig command

ifconfig

*Note, if there is just too much information on the screen for you after you run ifconfig
You can instead run

ifconfig eth0

ifconfig eth1

etc.

And only see the details for the NIC you specify after the command

You should see at least 3 network interfaces, you will have more than that if you did the VMware portion of this how-to

498
eth_bad (eth1) should be getting a Public DHCP IP address from your ISP.

This IP address should look a little weird to you, and in most cases, shouldnt start with 192.168

Also, this is a good time to make sure the MTU, speed and duplexes are correct.

If youre not getting a Public IP address for eth_bad (eth1) somethings wrong.
It could be as simple as your ISP is doing MAC address restrictions, meaning they want you to call them every time you get a new router.

You can do that, call them and give them the MAC address for eth1

499
(also known as the hardware address)

Or you can clone your old routers MAC address, so eth1 acts like its MAC address is the same as your old router, then you dont have to call your
ISP. Because they wont know there was a change. But in most cases, you have to call your ISP and give them the MAC address for eth_bad

If you still want to try and clone your old routers MAC address, navigate to the File Manager module, and edit
The file /etc/network/interfaces

Comment out the line that says allow-hotplug eth1

And replace it with these two lines

auto eth1
hwaddress ether xx:xx:xx:xx:xx:xx

Use your old routers WAN port MAC address in place of these numbers and or xs

500
This will force eth1 (eth_bad) to act like it has the MAC address you specified.

Save and Close

Reboot your Linux box

Do an ifconfig

And you should see that eth1 now has that MAC address you specified and has a public IP address.
At this point your server is configured as a working router/dns/dhcp server. It should work ok in this setup for everything you need it to do

501
The rules implement thus far create a very simple (yet powerful) firewall that allows absolutely nothing in from the outside world unless it is part of
an established connection. It also assumes the internal network is completely trusted and allows unfettered access to the server and outside world
from the internal network. This is the default setting for pretty much every NAT device ever.

At this point you are effectively finished. You can just leave your server as a simple router with no other rules at the point. It is very secure and will
work fine for most purposes. If, however, you want to run publicly accessible servers, then we need to add some additional rules.

If the server youre trying to get to is on this very same Linux box, then its just an INPUT rule in the filter. For example, if you want to be able to
SSH (Putty) into this Linux box from the outside world, that is INPUT rule, or exception to the firewall. That wouldnt involve PREROUTING or
FORWARD at all.

Lets setup a port 22 Firewall Exception so you can SSH in from the outside world.

Navigate back to the Linux Firewall module, make sure youre in the FILTER screen, and make a new rule underneath INPUT

502
You should see something like this, make the following changes

503
And then click Create

These are the easiest exceptions to make, as your explicitly allowing information coming into eth_bad (eth1) to not be dropped by the firewall. Thats
it for port 22, go ahead and make anymore you might need. Dont forget to make good use of the Clone Rule button inside each rule, it can make
things much easier for you. Just Clone it, and change the port, and youre done.

504
You should see something like this

505
Make anymore that you need, for example, if you clicked on the port 22 exception, and cloned it, then change the port to 10000, you would then
have a port 10000 exception for Webmin. And just keep cloning and changing the info until you have all that you need.

Then hit Apply Configuration

You should limit the number of direct INPUT rules you allow, as these open up ways into your router, whereas your router should be as invisible as
possible. This is still secure, SSH (Putty) is pretty amazing stuff, and Webmin is https, just try to limit the number of holes you allow directly into the
router like this.

A better way to get into your network and manage systems is to PortForward to another computer already inside your network, and execute
commands from there.

For example, your Windows PC will accept Remote Desktop connections on port 3389.

So if you created a PortForwarding rule, the router can use the PREROUTING and FORWARD feature to redirect your connection to a computer
inside your network, and once inside, youre totally trusted by the Firewall, all without exposing the router itself.

Windows Remote Desktop also offers some high level encryption options, so-far we havent made any Firewall exceptions that arent highly
encrypted, and thats a beautiful thing.

Chance are, you will have more than one computer inside your network, that you want to access ports 3389 and port 22 on. Thats not a problem, as
you can forward an external number, to an internal number.

For example, we can make PREROUTING and FORWARD rules that says

Anything coming in on port 25505, PortForward that to computer 192.168.2.5:3389

Anything coming in on port 25506, PortForward that to computer 192.168.2.6:3389

Anything coming in on port 25507, PortForward that to computer 192.168.2.7:3389

Anything coming in on port 25522, PortForward that to computer 192.168.2.8:22

Specifying 25522 for that last one


This leaves port 22 available for the INPUT rule we made earlier

506
Anything coming in on port 22, allow directly into the router

This way you can have a bunch of computers, using all the same ports internally, and just specify some meaningless high-port at the end of the
hostname or Public IP address. Then tell the router what computer that is really supposed to go too.

These require a little bit more work on your part, as you have to specify them in two parts of the Linux Firewall module. One as a PREROUTING
rule, and one as a FORWARD rule. But one you have one set done, you can use that Clone rule feature to complete the rest.

Navigate back to the Linux Firewall Module and this time make sure you are in the Network Address Translation table

507
Make sure you are in the PREROUTING section, and Click on Add Rule

You should see something like this, make the following changes

508
Then click on Create

You should see something like this

509
Thats one part of two, for the next part of that, Navigate to the Packet Filtering table.

You should see something like this

510
Make sure youre in the FORWARD section, and then click Add Rule

You should see something like this, make the following changes

511
Then click the Create button

You should be returned to the main Firewall screen, where you can hit

512
Apply Configuration

What you just did was allow a PortForward to happen from the outside world, to a computer behind your firewall. And as long as you have
encryption enabled in your remote desktop clients, you dont have too much you have to worry about.

Now external remote desktop requests like this

Will be forwarded to computer 192.168.2.5:3389

Inside your network

That first rule was kind of a lot of work to create.

But now you can use the Clone rule button, inside of each rule, to quickly and easily make more PortForwards.

513
Just dont forget to do it in both places when PortForwarding

NAT \ POSTROUTING

And

FILTER \ FORWARD

As you can see from all those static numbers your entering, it would be a good idea if the computers inside your network had static IP address or
DHCP reservations.

Setting up a DHCP reservation is the best choice. Navigate back to the DHCP Server module, and we will setup a DHCP reservation for a computer
inside the network.

514
Make sure youre underneath the Hosts and Host Groups field, and click on
Add a new host

You should see something like this, make the following changes

* Hardware address would be the MAC address of the computer inside your network, that you want to always have IP address 192.168.2.5

515
Click Save

You should see something like this

516
517
Hit Apply Changes
And restart the computer inside your network with that MAC address, and it will forever get the IP address of 192.168.2.5

Do this for any computer you have a firewall exception for.

Thats about it for the firewall exceptions and PortForwarding.

You shouldnt have any problems with you Virtual Machines, as they run bridged off of eth_safe. But if you do, just add a couple rules for your VM
nics, similar for what you did for lo and eth_safe

The VM nics are usually called something like VMnet1 and VMnet8, and should be available from the same drop down menus as everything else
you just did. But I havent had any issues so far in the bridged VM mode.

If you want to remotely access the VMware server from the outside world, you need to allow ports 8333 and 902.

If the VMware server and the router are the same computer, this is just a simple INPUT rule, similar to the one you made for port 22.

If the VMware server is on a different computer inside your LAN, and not on the router itself, you would need to setup four rules. Two
PREROUTING rules (8333 and 902) and two FORWARD rule (8333 and 902)

As far as security goes, thats a little more access than I want from the outside world, I dont want just anybody to be able to get to my VMware
server webpage, so if youre going to do this, you should take advantage of the source address option.

Source address is supported in all of the firewall rules.

By limiting a source address, you make something available to the outside world, but only if you have the right from IP address.

See below I am allowing connections on port 8333


But only if the computer im at has IP address 204.69.xxx.xxx

518
Only thing to be aware of is its got to be your public address. If youre at work or on another network, your local IP address is probably not your
Public IP address.

For example, when Im at work, my computer gets a 10.10.xxx.xxx IP address. But my Public IP address is 204.69.xxx.xxx

So in my Firewall exception I would use the public address. And then port 8333 is only accessible from my work network. Granted its anybody at
my work place, as we all have the same public IP address, but youve still eliminated most of the possible connection from the rest of the world.

If you dont know what your Public IP is. You can go to


http://whatismyip.com/

519
And a webpage will pop up and tell you.

And as far as the port 902. thats for the VMware player. You should be doing most of your stuff through remote desktop, and not the VMware
player. But sometimes you will need the player, so you will need port 902 open as well.

Earlier we made a port 22 exception, as a PortForward from 25522. you probably wont need to do too many of these, not to SSH (Putty) connection
anyway.

You can from within Putty, connect to as many other SSH computers as you like. Meaning if you SSH into your router, and youre in a Putty
window. You can simply type

ssh wood@192.168.2.5

Where wood is the username you want to use

And from within your current SSH connection to your router, it will connect you to computer 192.168.2.5 inside your private network, without a
need to PortForward anything. And when you exit or logout of that session, youre returned back to your SSH screen on your router. Pretty cool stuff.

Youre almost done with the router setup.

If you were using a DDNS update client on your old router, to keep your hostname current, like this one, from Linksys

520
Youre going to have to install the Linux equivalent (ddclient)
So that your hostname stays up to date

Launch a Putty session or navigate to the SSH2 module and

Type the following command

apt-get update

521
And then press the enter key on your keyboard

After that finishes

Type the following command

apt-get install ddclient

522
And then press the enter key on your keyboard
You should see something like this

Press the Enter key on your keyboard

You should see something like this, answer the on screen questions

523
You should see something like this, answer the on screen questions

*This is an example, enter your own information, and do not copy mine

524
Pay close attention to this next question

525
Make sure you enter eth_bad here, because you want it to update from your public IP interface, not your private interface.

So if you have been following this how-to word for word, then you would enter
eth1 in the box above.

Press the Enter key on your keyboard

You should then be returned to the command prompt

526
You can type exit and close Putty

Youre not done with ddclient yet, there is three more configs you have to do.

Using the File Manager module, edit the file

/etc/ddclient.conf

527
You should see something like this

Add the following two lines

daemon=300

ssl=yes

528
Click the Save and Close button

Using the File Manager module, edit the file

/etc/default/ddclient

529
Make sure run_ipup is set to false

Make sure run_daemon is set to true

Make sure daemon_interval is set to the same interval you set in /etc/ddclient.conf

Save and Close

Restart your Linux box

Navigate to the Command Shell module, and execute the following command

530
/etc/init.d/ddclient status

As long as you see ddclient is running

You know its launching at startup, and checking for changes

Next execute the following command

/etc/init.d/ddclient restart

And as long as you dont see any errors, you should be all set.

Dont worry that its checking every 300 seconds, I know that sounds too aggressive.
But its actually comparing your IP address to a local file, so youre not beating up the DYNDNS website like it sounds.

Your also sending that username and password over ssl encryption. So you might even be better off then you were with your old router

Thats about it for ddclient

531
Next we are going to setup a local DNS server.

This is not only a local DNS how-to, but its also a local DDNS how-to, meaning Dynamic DNS. It will not only control the naming on your local
network, but will also allow your DHCP clients to build, update, and maintain the list of their own computer names \ DNS entries.

I wouldnt recommend setting this up on a small network. Its a pain in the butt the first time you do it, and its very picky if you start making
changes. Im not saying it isnt stable, its rock solid stable, Im just saying its easy to break if you want to tweak it later on.

On small networks I find myself just referring to everything by their IP addresses, so make sure this is something you want to do before you continue.

OK, lets get started

First stop the bind service. This service has to be stopped every time you want to make changes to it, its very picky like that.

You can either type

/etc/init.d/bind9 stop

Or you can navigate to the Bootup and Shutdown module, and stop it from there.

532
If you have given your router eth_safe (eth0) a static IP (which you already did if you have been following this how-to) we need to double check and
make sure your computer name still matches the static IP address change in the following files

/etc/hosts

Where it says 127.0.0.1 add localhost.localdomain

Where it says 127.0.1.1, change it to your static IP address and servers hostname

Click Save and Close

Then edit file

/etc/hostname

533
And make sure your servers hostname is in there

Click Save and Close

Then edit file

/etc/resolv.conf

534
Write down all the info inside that file, and then delete everything inside this file.

Dont just #comment it out, actually highlight and delete the contents of the file. Just delete the contents, (all the words inside) dont delete the actual
file.

Although that info is important, we are going to use our DHCP server settings to overwrite this file at startup, but it just appends to the file, and
doesnt always overwrite, so we have to make sure its empty first.

Click Save and Close

Then edit file

/etc/dhcp3/dhcpd.conf

Underneath DNS Update Styles

535
Change it to ddns-update-style interim;

Remove the ; comment in front of word authoritative


This will make your Linux box the authoritative DHCP server for this network.

And under the part that reads

subnet 192.168.2.0 netmask 255.255.255.0 {

Paste in the following

ddns-domainname "diy.lan.";
allow client-updates;
option domain-name "diy.lan.";
max-lease-time 999999;
default-lease-time 888888;
range 192.168.2.50 192.168.2.99;
ddns-rev-domainname "2.168.192.in-addr.arpa.";
option broadcast-address 192.168.2.255;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
ddns-updates on;
option domain-name-servers 192.168.2.1;
}

You should have something like this

536
537
Some of that should look a little weird to you

Like this. ddns-rev-domainname "2.168.192.in-addr.arpa.";

Thats for reverse DNS

You may have to tweak it to fit your needs.

If you were on a 10.10.50.xxx network, you would use

ddns-rev-domainname "50.10.10.in-addr.arpa.";

Or

538
If you were on a 192.168.0.xxx, you would use

ddns-rev-domainname "0.168.192.in-addr.arpa.";

Or
If you were on a 192.168.1.xxx, you would use

ddns-rev-domainname "1.168.192.in-addr.arpa.";

Its just written backwards, and in place of the last octet, you just put rev instead

Also make sure you adjust these to fit your scheme

option domain-name-servers 192.168.2.1;


ddns-domainname "diy.lan.";

That would be the IP address of eth_safe (eth0) on your router

And then the local domain name that you selected on page 9

Once you have all that entered correctly, press Save and Close

Youre not done with that file yet, because we have to make a secret key for DNS and DHCP to share with each other, so that only your DHCP
clients are able to update the server.

To do this, open up a Putty window or SSH2 module, and run the following commands

cd /options

539
Then press the enter key on your keyboard

Then run the following command

dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate

540
This will create a 128bit HMAC-MD5 key file called kdhcpupdateXXXX.key
In the /options folder

Open the File Manger module, and navigate to the /options folder

Edit the Kdhcpupdate file that ends with .key

You should see something like this

That last solid string of numbers is your key

541
Do not share this key with anyone, consider this very confidential

Highlight the key, and copy it

Then navigate back to editing the file

/etc/dhcp3/dhcpd.conf

And under the part that says

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

542
Paste in the following

key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
}

zone diy.lan. {
primary 127.0.0.1;
key dhcpupdate;
}

zone 2.168.192.in-addr.arpa. {
primary 127.0.0.1;
key dhcpupdate;
}

You should see something like this

543
Of course you need to use your own key here, not the example key above
Again keep that key confidential

Leave the IP addresses alone, they should be 127.0.0.1

But tweak the zone name to be the same as the domain name you picked

And tweak the reverse DNS address to fit your scheme

Then click Save and Close

544
Next edit the file

/etc/dhcp3/dhclient.conf

And add the following two lines

supersede domain-name "diy.lan";

supersede domain-name-servers 127.0.0.1;

You should see something like this

545
Then click Save and Close

This is the file that is going to append to /etc/resolv.conf at startup


So youre all set for both of these files now

Next navigate to the /var/lib/ folder


And use the File Manager module to create a new folder called bind

With 0775 permission, and both owner and group as bind

546
If the directory is already there, thats cool too. Just change the permissions, groups, and owners to match

547
Now go inside that directory and create the following two files

diy.lan.db

548
2.168.192.in-addr.arpa

You should see something like this

And something like this

549
Save both

Set both of the files to the following permissions, And bind as both the user and group

550
These are some seriously wack file permissions, but bind gets a little crazy sometimes, and I find it works best this way

551
Next, use the File Manger module to edit the file

/var/lib/bind/diy.lan.db

And paste in the following

$ORIGIN .
$TTL 86400 ; 1 day
diy.lan IN SOA deb32server1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS deb32server1.diy.lan.
MX 10 deb32server1.diy.lan.
$ORIGIN diy.lan.
deb32server1 A 192.168.2.1
printer1 A 192.168.2.74
sanx1 A 192.168.2.5
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one

552
You should see something like this

It still wants you to have that MX 10 YourHostname.diy.lan entry even if its not really a mail server.

Add all computers here that have a static IP address, the rest will populate themselves when they get a DHCP lease.

This program is so very picky about the following

Spacing, the file must end with one blank line, just one
Dont have bind running when youre editing these files
And changing the serial number, +1 every time you make a change (its the date)

553
Sometimes it wants root to be the file or folder owner, and bind to be the group.

Next, use the File Manger module to edit the file

/var/lib/bind/2.168.192.in-addr.arpa

And paste in the following

$ORIGIN .
$TTL 86400 ; 1 day
2.168.192.in-addr.arpa IN SOA deb32server1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS deb32server1.diy.lan.
$ORIGIN 2.168.192.in-addr.arpa.
1 PTR deb32server1.diy.lan.
5 PTR sanx1.diy.lan.
74 PTR printer1.diy.lan.
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one

554
You should see something like this

This program is so very picky about the following

Spacing, the file must end with one blank line, just one
Dont have bind running when youre editing these files
And changing the serial number, +1 every time you make a change (its the date)
Sometimes it wants root to be the file or folder owner, and bind to be the group.

Next, using the File Manager module edit the file

555
/etc/bind/named.conf.local

Paste in the following info

key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
};

zone "diy.lan" IN {
type master;
file "/var/lib/bind/diy.lan.db";
allow-update { key dhcpupdate; };

};

zone "2.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/2.168.192.in-addr.arpa";
allow-update { key dhcpupdate; };

};

You should see something like this

556
Of course you need to put your own key in there, and tweak the IP scheme if different

Click Save and Close

557
Next, using the File Manager module edit the file

/etc/bind/named.conf.options

Paste in the following info


*But dont use the same DNS servers or forwarders as I did, make sure obtain that info from your ISP.

forwarders {
216.146.35.35;
216.146.36.36;
71.9.127.107;
};

auth-nxdomain no; # conform to RFC1035

listen-on {
192.168.2.1; # listen on local interface only
127.0.0.1; # Make sure machine can get to itself
};

listen-on-v6 { none; };
};

You should see something like this

558
Do not use the same forwarders I did, make sure obtain that info from your ISP.

Those are your Public DNS servers

In the above example, Im using two DNS servers from dyndns.org (safe surfer) and then one from my ISP

Click Save and Close

559
Thats about it for dynamically updating local DNS
You should be able to reboot your Linux box, and then reboot your Windows PC, and the process should be underway.

There are several ways to test to make sure its working

You can try pinging computers by their name, and they should reply.

You should notice that your ping results are automatically appending the domain name for you. Meaning if you ping the computer name
Sanx1

You should see its actually ping the entire name Sanx1.diy.lan.
Without you actually typing all of that.

This is of course assuming your PC is set to DHCP and not Static.

You should also be able to run the following command from your Linux box
And see all kinds of good info

host l diy.lan

560
And the reverse, on your Windows PCs, you should be able to do
ping a IPaddress

And the ping should return back with the computer name

561
If you were following how-to very closely, you were probably expecting that name to come back as BlueDell. Your right, Im just on a different
network today.

Another cool feature is you can edit the files

/var/lib/bind/diy.lan.db

/var/lib/bind/2.168.192.in-addr.arpa

And add multiple names for the same computer. You could have computer 192.168.2.5 respond to as many different names as you want. You could
trick your roommates into thinking they each had their own personal server, by giving the same server multiple names like

Server4room1
Server4room2
Server4room3

Even though they are actually all the same computer.

562
There are more practical uses for that feature, but you can certainly have fun with it too.

Well thats about it for DNS

Just remember when editing those DNS files, stop the bind service first. And always up the serial number plus one when editing, and always end the
file with a blank line.

There is always awesome trouble-shooting info in syslog, for whatever problem you might be having. If you are seeing permission denied errors, it
probably wants root to be the owner of the file, and bind to be the group. (file permissions)

A pretty common problem is the journals will get out of sync. All you have to do is delete them and reboot. They are in the /var/lib/bind/ folder
(.jnl) and are create by the bind service.

Syslog is your friend

563
And check your local email for notices of problems and statuses

564
Since we added another network card, we need to make sure Samba is for sure listening on your private network card.

We have done a lot of steps already to prevent this, but you cant be too careful here.

Navigate back to the Samba Windows File Sharing module

565
Click on Edit Config File

You should see something like this

Make sure both of those two lines are un-commented


(meaning remove the leading # or ;)

566
And change the lines to this

interfaces = 127.0.0/8 eth0

bind interfaces only = yes

Where eth0 is eth_safe, Save the changes

And restart the Samba service

Here is how you can check to make sure its working the way it is supposed to.

Navigate to the Command Shell module and execute the following command

567
netstat -tapn | grep smbd

Your concern is with the numbers on the left

Those represent the interfaces Samba is listening on

568
If you see anything other than

192.168.2.xxx

And

127.0.0.1

On the left, then there is something wrong, disconnect your internet cable and figure it out.

If you have been following this how-to closely, you probably expected that print screen above to show IP 192.168.2.1. Your right, im just on a
different computer today.

This command would make a good Custom Command button to, as its hard to remember

netstat -tapn | grep smbd

569
That brings us to the end of the how-to, I hope you enjoyed it. Dont forget to visit my Website, http://woodel.com and click on the blog link(s)

Now you can stop logging in as username root, and start using username wood.
Or whatever name you picked on page 1.

You can run an apt-get update and finally an apt-get dist-upgrade

That will ensure you have the latest patches and upgrades for the Debian OS.

Thanks ! Enjoy !!

-Kevin Elwood \ KevinTheComputerGuy

You can find my email address, more how-tos, and blog link(s) on my homepage http://woodel.com
If you would like to do even more with your server, you can find additional info here http://woodel.com/domore

570

You might also like